Weight Unique Events Filter

Definition

Description

If event matches Condition, for each unique value of FieldName, find the first matching condition in ConditionWeightList and add its corresponding weight to a running sum.
Perform ActionList if the running sum reaches Threshold within TimeInterval.
Each condition CanCannot be counted multiple times.

 

 

Comments

Unique counter, timer, and condition instances are generated for each unique value of the first FieldName.

The event will trigger only the first matching Condition.

If a Condition has already been matched and can only be counted once for each unique instance, then that Condition is no longer available for matching, but other unmatched conditions may still be matched.

If the Threshold count is reached during the TimeInterval, the specified action list is executed, and the counter, timer, and conditions for that unique instance are reset.

The TimeInterval starts when the first event arrives.

If the TimeInterval expires before the threshold is reached, the counter, timer, and conditions for that unique instance are reset and no actions are fired.

If CanCannot is empty, missing or blank, default to "Can".

If ConditionWeightList is empty, missing or blank, disable the filter.

If TimeInterval is empty, missing or blank, it defaults to the length of the ECS session.

If Threshold is empty, missing, blank or less than or equal to zero, disable the filter.

If FieldName is empty, missing or blank, set its value to "".

 

Example

<filter objectId="Filter.WeightUniqueEvents" type="WeighUniqueEventsFilter">
	<parameter type="Condition">
		<negatePrimaryCondition>false</negatePrimaryCondition>
		<conditionRelation>Any</conditionRelation>
		<conditionSpec>        <!-changed name from "condition" -->
			<negate>false</negate>
			<fieldName>ev:host</fieldName>
			<operator>neq</operator>
			<valueType>string</valueType>
			<value>bozo</value>
		</conditionSpec>
	</parameter><parameter type="FieldName">ev:uniqueId</parameter>
	<parameter type=”ConditionWeightList”>
		<condition weight=”1.3345” > <!—0..N of these in an ordered list -->
			<negatePrimaryCondition>false</negatePrimaryCondition>
			<conditionRelation>All</conditionRelation>
			<conditionSpec> <!—changed name from “condition” -->
				<negate>false</negate>
				<fieldName>ev:msg</fieldName>
				<operator>containsString</operator>
				<valueType>string</valueType>
				<value>delete</value>
			</conditionSpec>
		</condition>
	</parameter>
	<parameter type=”ActionList”>
		<action type=”SetEventFieldList”>
			<setEventField fieldName=”ev:msg3”>
				<type>String</type>
				<formatString>this is %1% and %2%</formatString>
				<formatParmSpec> <!—0..N of these -->
					<type>EventType</type>
					<name>ev:msg</name>
				</formatParmSpec>
			</setEventField>
		</action>
	</parameter>
	<parameter type=”Threshold”>3.141592654</parameter> <!—double value -->
	<parameter type="TimeInterval">
		<time>10</time>
		<units>min</units>
	</parameter>
	<parameter type=”CanCannot”>Can</parameter>
</filter>