> Correlation object

> Correlation object

The following objects are directly related to the correlation API.

Correlation

The correlation object has the following properties.

Property	Type	Description
correlationid	string	ID of the correlation. Property behavior: - read-only - required for update operations
name	string	Name of the correlation. Property behavior: - required for create operations
description	string	Description of the correlation.
status	integer	Whether the correlation is enabled or disabled. Possible values: 0 - (default) enabled; 1 - disabled.

Correlation operation

The correlation operation object defines an operation that will be performed when a correlation is executed. It has the following properties.

Property	Type	Description
type	integer	Type of operation. Possible values: 0 - close old events; 1 - close new event. Property behavior: - required

Correlation filter

The correlation filter object defines a set of conditions that must be met to perform the configured correlation operations. It has the following properties.

Property	Type	Description
evaltype	integer	Filter condition evaluation method. Possible values: 0 - and/or; 1 - and; 2 - or; 3 - custom expression. Property behavior: - required
conditions	array	Set of filter conditions to use for filtering results. Property behavior: - required
eval_formula	string	Generated expression that will be used for evaluating filter conditions. The expression contains IDs that reference specific filter conditions by its `formulaid`. The value of `eval_formula` is equal to the value of `formula` for filters with a custom expression. Property behavior: - read-only
formula	string	User-defined expression to be used for evaluating conditions of filters with a custom expression. The expression must contain IDs that reference specific filter conditions by its `formulaid`. The IDs used in the expression must exactly match the ones defined in the filter conditions: no condition can remain unused or omitted. Property behavior: - required if `evaltype` is set to “custom expression”

Correlation filter condition

The correlation filter condition object defines a specific condition that must be checked before running the correlation operations.

Property	Type	Description
type	integer	Type of condition. Possible values: 0 - old event tag; 1 - new event tag; 2 - new event host group; 3 - event tag pair; 4 - old event tag value; 5 - new event tag value. Property behavior: - required
tag	string	Event tag (old or new). Property behavior: - required if `type` is set to “old event tag”, “new event tag”, “old event tag value”, or “new event tag value”
groupid	string	Host group ID. Property behavior: - required if `type` is set to “new event host group”
oldtag	string	Old event tag. Property behavior: - required if `type` is set to “event tag pair”
newtag	string	Old event tag. Property behavior: - required if `type` is set to “event tag pair”
value	string	Event tag (old or new) value. Property behavior: - required if `type` is set to “old event tag value” or “new event tag value”
formulaid	string	Arbitrary unique ID that is used to reference the condition from a custom expression. Can only contain capital-case letters. The ID must be defined by the user when modifying filter conditions, but will be generated anew when requesting them afterward.
operator	integer	Condition operator. Property behavior: - required if `type` is set to “new event host group”, “old event tag value”, or “new event tag value”

To better understand how to use filters with various types of expressions, see examples on the correlation.get and correlation.create method pages.

The following operators and values are supported for each condition type.

Condition	Condition name	Supported operators	Expected value
2	Host group	=, <>	Host group ID.
4	Old event tag value	=, <>, like, not like	string
5	New event tag value	=, <>, like, not like	string