|
Description |
If event matches Condition, for each unique value of FieldName, sum the value in FieldName and perform ActionList, if the sum reaches Threshold within TimeInterval. |
|
|
|
|
Comments |
Unique sum and timer instances are generated for each unique value of the FieldName. If the Threshold is reached during TimeInterval, ActionList is executed, and the counter and timer for that unique instance are reset. The TimeInterval starts when the first event arrives. If the TimeInterval expires before the threshold is reached, the counter and timer for that unique instance are reset and no actions are fired. If TimeInterval is empty, missing or blank, it defaults to the length of the ECS session. If Threshold is empty, missing, blank or less than or equal to zero, the filter is disabled. If FieldName is empty, missing or blank, its value is set to "". |
<filter objectId="Filter.SumUniqueEvents" type="SumUniqueEventsFilter"> <parameter type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>Any</conditionRelation> <conditionSpec> <!-changed name from "condition" --> <negate>false</negate> <fieldName>ev:host</fieldName> <operator>neq</operator> <valueType>string</valueType> <value>bozo</value> </conditionSpec> </parameter> <parameter type="FieldName">ev:uniqueId</parameter> <parameter type="FieldName">sumField</parameter> <parameter type="ActionList"> <action type="SetEventFieldList"> <setEventField fieldName="ev:msg3"> <type>String</type> <!-insides of "Expression" parm --> <formatString>Sum over 32.54 for field 1%.</formatString> <formatParmSpec> <!-0..N of these --> <type>EventType</type> <name>ev:msg</name> </formatParmSpec> </setEventField> </action> </parameter> <parameter type="Threshold">32.54</parameter> <!-double value --> <parameter type="TimeInterval"> <time>10</time> <units>min</units> </parameter> </filter>