|
Description |
If event matches Condition, sum the value in FieldName and perform ActionList, if the sum reaches Threshold within TimeInterval. |
|
|
|
|
Comments |
If the threshold value is reached during TimeInterval, ActionList is executed, and the sum and timer are reset. The TimeInterval starts when the first event arrives. If the TimeInterval expires before the threshold is reached, the counter and timer are reset and no actions are fired. If TimeInterval is empty, missing or blank, it defaults to the length of the ECS session. If Threshold is empty, missing, blank or less than or equal to zero, the filter is disabled. If FieldName is empty, missing or blank, its value is set to "". |
<filter objectId="Filter.SumEvents" type="SumEventsFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:host</fieldName> <operator>neq</operator> <valueType>string</valueType> <value>bozo</value> </conditionSpec> </parameter> <parameter type="FieldName">sumField</parameter> <parameter type="ActionList"> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg3"> <type>String</type> <!-insides of "Expression" parm --> <formatString>Sum over 32.54 for field 1%.</formatString> <formatParmSpec> <!-0..N of these --> <type>EventType</type> <name>ev:msg</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="Threshold">32.54</parameter> <!-double value --> <parameter type="TimeInterval"> <time>10</time> <units>min</units> </parameter> </filter>