I need help with one advanced EPL rule. I have the follow LOG estructure:
event_time, ec_activity, event_log
I need an alert when i have two (or more) events that have the same value of 'ec_activity' but diferent value of 'event_log' in a time frame of 10 minutes.
I looked the web info of EPL rules and try it with this one:
SELECT * FROM Event(
device_type = 'trafmako' AND ec_activity IS NOT NULL AND event_log IS NOT NULL
).std:groupwin(event_log).win:time_length_batch(10 Minutes, 2).std:unique(ec_activity) group by event_log having count(*) = 2;
saddly not work. I really appreciate any help.