Use case Example:
We want to monitor in Real-time if a user sends in the last 24 Hours more than 100MB via Email.

How it will work:
We will create a data monitor which will collect the information from the last X time, and sum the quantity.
After that, we will create a rule that use the audit events of the Data Monitor to check if the value is more than a specific threshold.
Step 1: Create a Data Monitor
Create New Data Monitor, and choose the data monitor type: “Top Value Counts”.
Set the next preference:
- Value Filed – The field we need to sum (bytes out).
- Send Audit Events – Set true. It will make a log after any changes.
- Top entries – Be aware – Only the top entries will be auditing.
Step 2: Create Filter
- Create a new filter with the next condition:
- Under Generator choose your Data Monitor resource.
- Exclude “others” form Device Custom String 1 – “others” is the sum of all the entries that do not exist in the Top entries.
Step 3: Create Rule
- Create New Rule and add the filter from the previous step,
- Device Custom String1 is the aggregated field value (you can add it under aggregation tab).
- Device Custom Number1 is the total value, you can use it for condition, for example, user print more than millions of pages, etc.
- Add your own action.
And you Done.
The rule will fire after a user (or your custom filed) will pass your threshold in the time frame that you set in the data monitor.
Ofek Sher,
Author
marat