AnsweredAssumed Answered

EPL Advanced Rule

Question asked by Omar Garcia Gilio on Sep 29, 2016
Latest reply on Sep 30, 2016 by Corey Dukai

Hi everyone,


I need help with one advanced EPL rule. I have the follow LOG estructure:

   event_time, ec_activity, event_log


I need an alert when i have two (or more) events that have the same value of 'ec_activity' but diferent value of 'event_log' in a time frame of 10 minutes.


I looked the web info of EPL rules and try it with this one:


device_type = 'trafmako' AND ec_activity IS NOT NULL AND event_log IS NOT NULL
).std:groupwin(event_log).win:time_length_batch(10 Minutes, 2).std:unique(ec_activity) group by event_log having count(*) = 2;


saddly not work. I really appreciate any help.