AnsweredAssumed Answered

Help Required -Rule syntax.

Question asked by 9lxVbTB4DoSrb29tET8lgFaAPkx9TONQEPzdVrrEz3E= on Feb 25, 2016
Latest reply on Mar 3, 2016 by 9lxVbTB4DoSrb29tET8lgFaAPkx9TONQEPzdVrrEz3E=

Hi I am trying to crate a rule which will fire an alert once 3+ events for a single host is detected within 4hr span. Instead It keeps firing every 3rd event from the host.  I am trying the below syntax.

 

 

@RSAAlert (oneInSeconds=0, identifiers={"alias_host"})

 

 

SELECT * FROM

Event(

   (

     medium = 32

     AND

     device_type='entercept'

     AND

     alias_host IS NOT NULL

   )

).win:time(14400 sec)

 

 

match_recognize(

partition by alias_host

measures A as a

pattern (A A A A+)

 

 

define

 

 

A as A.alias_host IS NOT NULL

 

 

);

 

Can I please get the proper syntax or some suggestions to get it done?  Thanks in advance.

Outcomes