|
Description |
If events match Condition
and start but don't complete the ConditionList
sequence for each unique value of FieldName
within TimeInterval,
perform ActionList
if the sequence is broken, and ActionList
if the time period expired. |
|
|
|
|
Comments |
Unique timer and condition sequence instances are generated for each unique value of FieldName. Only events matching the main Condition are considered by the filter. Events must arrive such that conditions in the sequence are satisfied in order. Each event may only satisfy one Condition at a time. Once a sequence has been completed, the time period and condition sequence for that unique instance are reset. If the sequence is to be consecutive, then the next event must satisfy the next condition, or the sequence and timer are reset for that unique instance. If the sequence is not required to be consecutive, other events that don't match the next condition are allowed. If the TimeInterval expires before the threshold is reached, the timer and conditions sequence for that unique instance are reset. The TimeInterval starts when the first event arrives. If the TimeInterval is exceeded, the timer and the sequence are reset. An empty or missing ConditionList will disable the filter. If the TimeInterval is zero, empty, or missing then the TimeInterval will be the duration of the ECS process session. If TimeInterval is empty, missing or blank, it defaults to the length of the ECS session. If FieldName is empty, missing or blank, set its value to "". An empty, missing MustNeedNot defaults to "NeedNot". |
<filter objectId="Filter.DetectUniqueIncomplSequence" type="DetectUniqueIncompleteSequenceFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:host</fieldName> <operator>neq</operator> <valueType>string</valueType> <value>bozo</value> </conditionSpec> </parameter> <parameter type="ConditionWeightList"> <condition weight="1.3345" > <!-0..N of these in an ordered list --> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:msg</fieldName> <operator>containsString</operator> <valueType>string</valueType> <value>delete</value> </conditionSpec> </condition> </parameter> <parameter type="FieldName">ev:uniqueId</parameter> <parameter type="TimeInterval"> <time>10</time> <units>min</units> </parameter> <parameter type="ActionList"> <action type="SetEventFieldList"> <setEventField fieldName="ev:app"> <type>String</type> <formatString>sequence broken for %1%</formatString> <formatParmSpec> <type>EventType</type> <name>ev:msg</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="ActionList"> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg"> <type>String</type> <formatString>broken sequence expired for %2%</formatString> <formatParmSpec> <type>EventType</type> <name>ev:alarm</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="MustNeedNot">Must</parameter> </filter>