Match Sequence Filter

Definition

Description

If events match Condition and complete in order ConditionList sequence within TimeInterval, perform ActionList.
The sequence of events MustNeedNot be consecutive.

 

 

Comments

Only events matching the main Condition are considered by the filter.

Events must arrive such that conditions in the sequence are satisfied in order. Each event may only satisfy one condition at a time.

Once a sequence has been completed, the time period and condition sequence are reset.

The TimeInterval starts when the first event arrives.

If the sequence of events must be consecutive then the next event must satisfy the next Condition, or the sequence and timer are reset. Otherwise, if the sequence is not required to be consecutive, other events that don't match the next condition are allowed.

If the TimeInterval is exceeded, the timer and the sequence are reset.

An empty or missing ConditionList will disable the filter.

If the TimeInterval is zero, empty, or missing then the TimeInterval will be the duration of the ECS process session.

An empty, missing MustNeedNot defaults to "NeedNot".

 

Example

<filter objectId="Filter.MatchSequence" type="MatchSequenceFilter">
	<parameter type="Condition">
		<negatePrimaryCondition>false</negatePrimaryCondition>
		<conditionRelation>All</conditionRelation>
		<conditionSpec>
			<negate>false</negate>
			<fieldName>ev:host</fieldName>
			<operator>neq</operator>
			<valueType>string</valueType>
			<value>bozo</value>
		</conditionSpec>
	</parameter>
	<parameter type=”ConditionList”>
		<condition>
			<negatePrimaryCondition>false</negatePrimaryCondition>
			<conditionRelation>All</conditionRelation>
			<conditionSpec>
				<negate>false</negate>
				<fieldName>ev:msg</fieldName>
				<operator>containsString</operator>
				<valueType>string</valueType>
				<value>delete</value>
			</conditionSpec>
		</condition>
	</parameter>
	<parameter type="TimeInterval">
		<time>10</time>
		<units>min</units>
	</parameter>
	<parameter type="MustNeedNot">NeedNot</parameter>
	<parameter type=”ActionList”>
		<action type=”SetEventFieldList”>
			<setEventField fieldName=”ev:msg3”>
				<type>String</type>
				<formatString>this is %1%</formatString>
				<formatParmSpec>
					<type>EventType</type>
					<name>ev:log</name>
				</formatParmSpec>
			</setEventField>
		</action>
	</parameter>
	<parameter type=”MustNeedNot”>Must</parameter>
</filter>