|
Description |
If events match Condition
and complete in order ConditionList
sequence for each unique value of FieldName
within TimeInterval,
perform ActionList.
|
|
|
|
|
Comments |
Unique timer and condition sequence instances are generated for each unique value of FieldName. Only events matching the main condition are considered by the filter. Events must arrive such that conditions in the sequence are satisfied in order. Each event may only satisfy one Condition at a time. Once a sequence has been completed, the time period and condition sequence for that unique instance are reset. The TimeInterval starts when the first event arrives. If the sequence is to be consecutive, than the next event must satisfy the next Condition, or the sequence and timer are reset for that unique instance. If the sequence is not required to be consecutive, other events that don't match the next Condition are allowed. If the TimeInterval expires before the threshold is reached, the timer and conditions sequence for that unique instance are reset. An empty or missing ConditionList will disable the filter. If the TimeInterval is zero, empty, or missing then it will be the duration of the ECS process session. If FieldName is empty, missing or blank, set its value to "". An empty, missing MustNeedNot defaults to "NeedNot". |
<filter objectId="Filter.MatchUniqueSequence" type="MatchUniqueSequenceFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:host</fieldName> <operator>neq</operator> <valueType>string</valueType> <value>bozo</value> </conditionSpec> </parameter> <parameter type="FieldName">ev:uniqueId</parameter> <parameter type="ConditionWeightList"> <condition weight="1.3345" > <!-0..N of these in an ordered list --> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:msg</fieldName> <operator>containsString</operator> <valueType>string</valueType> <value>delete</value> </conditionSpec> </condition> </parameter> <parameter type="TimeInterval"> <time>10</time> <units>min</units> </parameter> <parameter type="ActionList"> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg2"> <type>String</type> <!-insides of "Expression" parm --> <formatString>this is %1%</formatString> <formatParmSpec> <type>EventType</type> <name>ev:host</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="MustNeedNot">Must</parameter> </filter>