Reset counter in Kapacitor when no event received

InfluxDB 1 Kapacitor
1

Hello,
I would like to use Kapacitor to count failed login attempts (which are events logged, we can capture with Telegraf). Then if 4 events within period let’s say 1 minute for the same account, send an email warning.

I got this partly working, with the code below:

|eval(lambda: “account”)
.as(‘account’)
.tags(‘account’)
|groupBy(‘account’)
|stateCount(lambda: TRUE)
.as(‘number_of_failed_attempts’)

data
|alert()
.NoRecoveries()
.StateChangesOnly()
.warn(lambda: “number_of_failed_attempts” >= failed_login_email_threshold)
.message(‘Number of failed login attempt warning’ )

But how can I reset the counter number_of_failed_attempts? I would like to reset it if there is no event arriving within X minutes from the last event.

I tried with window() and deadman() but to no good outcome yet.

Any help would be appreciated.

Menno Bot

2

Was able to implement the required functionality. Posting it here if this may help somebody else, as I find TICK tricky!

The windowing was done by:
|stateCount(lambda: TRUE)
.as(‘number_of_failed_attempts’)
|barrier()
.idle(barrier_period)
.delete(TRUE)
|window()
.align()
.period(failed_login_observation_period)
.every(failed_login_observation_period)
The usage of the barrier with the window is key.

And the reset of the counter was done after sending the email:
|eval(lambda: “number_of_failed_attempts” - “number_of_failed_attempts”)
.as(‘number_of_failed_attempts’)