Discard Redundant Events Filter

Definition

Description

If events match Condition, discard any redundant events after passing the first Threshold events within TimeInterval.
Events are considered redundant if they have the same value in FieldName.
Perform ActionList when the event flow is stopped.
Perform ActionList when the event flow is restarted.
Perform ActionList when an event is discarded.

Comments

If Threshold or TimeInterval are empty, missing, blank or less than or equal to zero, the filter is disabled and events simply pass through.

When TimeInterval expires, the count and threshold are reset, and events are allowed to pass again.

The TimeInterval starts when the first event arrives.

If FieldName is empty, missing or blank, set its value to "".

Example

<filter objectId="Filter.DiscardRedundantEvents" type="DiscardRedundantEventsFilter">
	<parameter type="Condition">
		<negatePrimaryCondition>false</negatePrimaryCondition>
		<conditionRelation>Any</conditionRelation>
		<conditionSpec>        <!-changed name from "condition" -->
			<negate>false</negate>
			<fieldName>ev:host</fieldName>
			<operator>neq</operator>
			<valueType>string</valueType>
			<value>bozo</value>
		</conditionSpec>
	</parameter>
	<parameter type="FieldName">ev:uniqueId</parameter>
	<parameter type="Threshold">33</parameter>
	<parameter type="TimeInterval">
		<time>10</time>
		<units>min</units>
	</parameter>
	<parameter type="ActionList">
		<action type="SetEventFieldList">
			<setEventField fieldName="ev:msg">
				<type>String</type>
				<formatString>redundant event %1%, %2%</formatString>
				<formatParmSpec>    
					<type>EventType</type>
					<name>ev:host</name>
				</formatParmSpec>
				<formatParmSpec>
					<type>EventType</type>
					<name>ev:app</name>
				</formatParmSpec>
			</setEventField>
		</action>
	</parameter>	
	<parameter type="ActionList"> 
	</parameter>	
</filter>