EPL Advanced Rule
I need help with one advanced EPL rule. I have the follow LOG estructure:
event_time, ec_activity, event_log
I need an alert when i have two (or more) events that have the same value of 'ec_activity' but diferent value of 'event_log' in a time frame of 10 minutes.
I looked the web info of EPL rules and try it with this one:
SELECT * FROM Event(
device_type = 'trafmako' AND ec_activity IS NOT NULL AND event_log IS NOT NULL
).std:groupwin(event_log).win:time_length_batch(10 Minutes, 2).std:unique(ec_activity) group by event_log having count(*) = 2;
saddly not work. I really appreciate any help.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
The following should fit your needs:
SELECT * FROM Event(ec_activity IS NOT NULL AND event_log IS NOT NULL).std:groupwin(ec_activity).win:time_batch(10 min).std:unique(event_log) GROUP BY ec_activity HAVING COUNT(*) >1;
It will look for two or more of the same ec_activity metadata but different event_log metadata.