|
Description |
If event matches Condition, for each unique value of FieldName, perform ActionList if count reaches Threshold within TimeInterval. |
|
|
|
|
Comments |
Unique counter and timer instances are generated for each unique value of the first FieldName. The TimeInterval starts when the first event arrives. Each time the Threshold count is reached during the TimeInterval the specified action list is executed and the counter and timer are reset for that instance. If the TimeInterval expires before the Threshold is reached, both the counter and timer are reset for that instance. If Threshold is empty, missing, blank or less than or equal to zero, disable the filter. If TimeInterval is empty, missing, blank or less than or equal to zero, it defaults to the length of the ECS session. If FieldName is empty, missing or blank, set its value to "". |
<filter objectId="Filter.CountUniqueEvent" type="CountUniqueEventFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> </parameter> <parameter type="FieldName">ev:uniqueId</parameter> <parameter type="Threshold">5</parameter> <parameter type="TimeInterval"> <time>10</time> <units>min</units> </parameter> <parameter type="ActionList"> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg3"> <type>String</type> <formatString>this is %1% and %2%</formatString> <formatParmSpec> <type>EventType</type> <name>ev:msg</name> </formatParmSpec> </setEventField> </action> </parameter> </filter>