|
Description |
If events match Condition
and start but don't complete the ConditionList
sequence within TimeInterval,
perform ActionList
if the sequence is broken, and ActionList
if the time period expired. |
|
|
|
|
Comments |
Only events matching the main Condition are considered by the filter. Events must arrive such that conditions in the sequence are satisfied in order. Each event may only satisfy one Condition at a time. Once a sequence has been completed, the time period and condition sequence are reset. If the sequence is to be consecutive, then the next event must satisfy the next Condition, or the sequence and timer are reset. If the sequence is not required to be consecutive, other events that don't match the next Condition are allowed. If the TimeInterval is exceeded, the timer and the sequence are reset. The TimeInterval starts when the first event arrives. An empty or missing ConditionList will disable the filter. If the TimeInterval is zero, empty, or missing then the TimeInterval will be the duration of the ECS process session. If TimeInterval is empty, missing or blank, it defaults to the length of the ECS session. An empty, missing MustNeedNot defaults to "NeedNot". |
<filter objectId="Filter.DetectIncompleteSequence" type="DetectIncompleteSequenceFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:host</fieldName> <operator>neq</operator> <valueType>string</valueType> <value>bozo</value> </conditionSpec> </parameter> <parameter type="ConditionWeightList"> <condition weight="1.3345" > <!-0..N of these in an ordered list --> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:msg</fieldName> <operator>containsString</operator> <valueType>string</valueType> <value>delete</value> </conditionSpec> </condition> </parameter> <parameter type="TimeInterval"> <time>10</time> <units>min</units> </parameter> <parameter type="ActionList"> <!-do this if sequence broken --> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg2"> <type>String</type> <formatString>sequence broken for %1%</formatString> <formatParmSpec> <type>EventType</type> <name>ev:msg</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="ActionList"> <!-do this if sequence expired --> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg"> <type>String</type> <formatString>broken seq expired for %1%</formatString> <formatParmSpec> <type>EventType</type> <name>ev:alarm</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="MustNeedNot">Must</parameter> </filter>