Peter,
Is it ok to assume that the value of an event for an exceeded threshold is the highest value obtained before handling the event?
For example, for a threshold of 5000 fps, I get the following value: "value": 5236.811646006986,
{
"eventID": 2,
"agent": "XXX.XXX.XXX.XXX",
"metric": "ddos_protect_icmp_flood",
"values": [
1,
28
],
"threshold": 5000,
"flowKey": "YYY.YYY.YYY.YYY,local,8",
"thresholdID": "ddos_protect_icmp_flood",
"dataSource": "548",
"value": 5236.811646006986,
"timestamp": 1605112319525
},
Regards,
Gaston