|
Description |
If event matches Condition, for each unique FieldName, perform ActionList if Threshold number of conditions in ConditionList have been satisfied within TimeInterval. One event CanCannot (default: Cannot) satisfy more than one condition. |
|
|
|
|
Comments |
Conditions are checked in the order that they are specified in the ConditionList. If a condition has already been satisfied, it is no longer checked again for subsequent events. If an event can only satisfy one condition, then no further conditions are checked after the first condition for that event has been satisfied. The TimeInterval for each unique FieldName starts when the first condition for that FieldName has been met. If FieldName is missing, invalid, or empty, then the value of empty string ("") is assumed. The ActionList has access to the following additional fields to be set in the action event, if their are specified in the Action Builder screen ev:matchSet.startTime ev:matchSet.endTime ev:matchSet.threshold ev:matchSet.eventsProcessed - total number of events processed for each "unique" value of FieldName until the Threshold was reached ev:matchSet.seconds ev:matchSet.unique An empty or missing ConditionList will disable the filter. An empty, missing or invalid Threshold will disable the filter. If the TimeInterval is zero, empty, or missing then it will be the duration of the ECS process session. An empty, missing CanCannot defaults to "Cannot". |
<filter objectId="matchSet" type="MatchUniqueSetFilter"> <parameter autoSetDescription="false" comments="Add comments for Condition..." description="ev:app = app1" type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:app</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>app1</value> </conditionSpec> </parameter> <parameter type="FieldName">ev:host</parameter> <parameter autoSetDescription="false" comments="Add comments for ActionList..." description="Action fired!" type="ActionList"> <action autoSetDescription="false" comments="" description="Action fired!" type="NewEvent"> <halPolicy>useCurrent</halPolicy> <destinationSpec> <type>specified</type> <name>SessionOut</name> </destinationSpec> <setEventFieldList> <setEventField autoSetDescription="true" comments="" description="Action fired!" fieldName="ev:msg"> <type>String</type> <formatString>Action fired!</formatString> </setEventField> </setEventFieldList> </action> </parameter> <parameter type="Threshold">3</parameter> <parameter autoSetDescription="false" comments="Add comments for ConditionList..." description="log1, log2, log3" type="ConditionList"> <condition autoSetDescription="" comments="" description="ev:log=log1"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:log</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>log1</value> </conditionSpec> </condition> <condition autoSetDescription="" comments="" description="ev:log=log2"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:log</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>log2</value> </conditionSpec> </condition> <condition autoSetDescription="false" comments="" description="ev:log=log3"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:log</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>log3</value> </conditionSpec> </condition> </parameter> <parameter type="TimeInterval"> <time>5</time> <units>sec</units> </parameter> <parameter type="CanCannot">Cannot</parameter> </filter>