There are two approaches you might consider:
1. Create a separate flow definition for each host group and apply a threshold to each flow definition. This works if you have a small number of host groups you want to apply thresholds to.
2. Have a single flow definition and include the group as part of the flow key then set a number of threshold on that flow definition. This scales well if you have a large number of host groups (e.g. host group per customer) and a small number of thresholds (e.g. small, medium, large).
Examples of the two approaches are given below. See
Writing Applications for information on sFlow-RT APIs. Ther
1. Separate Flow Definitions
var groups = {
"external":["0.0.0.0/0"],
"internal":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]
};
setGroups('host_groups',groups);
setFlow('internal',{
keys:'ipdestination',
value:'bytes',
filter:'group:ipdestination:host_groups=internal'
});
setFlow('external',{
keys:'ipdestination',
value:'bytes',
filter:'group:ipdestination:host_groups=external'
});
setThreshold('internal', {metric:'internal', value:10000, byFlow:true});
setThreshold('external', {metric:'external', value:20000, byFlow:true});
setEventHandler(evt => logInfo(JSON.stringify(evt)), ['internal','external']);
2. Single Flow Definition
var groups = {
"external":["0.0.0.0/0"],
"internal":["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]
};
setGroups('host_groups',groups);
setFlow('grouped',{
keys:'ipdestination,group:ipdestination:host_groups',
value:'bytes',
});
setThreshold('small', {metric:'grouped', value:10000, byFlow:true});
setThreshold('medium', {metric:'grouped', value:20000, byFlow:true});
setThreshold('large', {metric:'grouped', value:50000, byFlow:true});
setEventHandler(evt => logInfo(JSON.stringify(evt)), ['small','medium','large']);