Description

If events match Condition, for each unique FieldName, merge FieldName of all following events into the first event and release the combined event after TimeInterval and perform ActionList.

Comments

If either unique FieldName is missing, blank or invalid, do nothing.

If an event matches Condition, retain each unique event by inserting it into a lookup table indexed by the contents of the first FieldName, but do not send it on to its destination.

If this new event matches a previously received event, add the value in the second FieldName as a uniquely named field to the event in the map (such as ev:msg1, ev:msg2, ...,.). Each event held in the map expires after TimeInterval.

When an event in the maps expires after TimeInterval, it is released to its destination and removed from the map. Additionally, the following event fields are added to the released event:

ev:mergeEvents.startTime = StartingTime
ev:mergeEvents.endTime = EndingTime
ev:mergeEvents.seconds= Ending Time - Starting Time
ev:mergeEvents.count= # of records merged

Example:
%FieldName% = "ev:host"
%FieldName% = "ev:msg"
%Condition% = "ev:host containsString 'food' "
%TimeInterval% = "1 hour"

First Event in ( 3PM ):
{ ev:host = "food.com", ev:msg1 = "bread" }

Event List after:
{ ev:host = "food.com", ev:msg1 = "bread" }

Second Event in ( 3:10PM ):
{ ev:host = "foodsrc.com", ev:msg1 = "jam" }

Event List after:
{ ev:host = "food.com", ev:msg1 = "bread" }
{ ev:host = "foodsrc.com", ev:msg1 = "jam" }

Third Event in ( 3:35PM ):
{ ev:host = "foodsrc.com", ev:msg1 = "jelly" }

Event List after:
{ ev:host = "food.com", ev:msg1 = "bread" }
{ ev:host = "foodsrc.com", ev:msg1 = "jam", ev:msg2 = "jelly" }

Event Released ( 4:10PM ):
{ ev:host = "foodsrc.com",

ev:msg1 = "jam",
ev:msg2 = "jelly",
ev:mergeEvents.startTime= May 22 2003 23:03:10
ev:mergeEvents.endTime= May 23 2003 00:04:10 ev:mergeEvents.recordsMerged = 2

Event List after:
{ ev:host = "food.com", ev:msg1 = "bread" }