Mohd Saad Khan

Alert for Unique and distinct meta.

Discussion created by Mohd Saad Khan on Oct 20, 2016
Latest reply on Nov 3, 2016 by Mohd Saad Khan

I have created an alert for a event in that it will create a window of 30 mins and grab my required events and output only unique/distinct meta but I am getting duplicate meta (duplicate device ip) despite of putting required condition;

 

SELECT distinct * FROM Event(
/* Statement: Virus Detected on system and Left alone */
(device_type IN ( 'symantecav' ) AND ( 'Left alone' = ANY( action ) ))
).win:time(30 min)

 

and also tried this as I want unique and distinct device.ip from a pool of 30 mins;

 

SELECT * FROM Event(
/* Statement: Virus Detected on system and Left alone */
(device_type IN ( 'symantecav' ) AND ( 'Left alone' = ANY( action ) ))
).std:unique(device_ip).win:time(30 min)

 

Can anyone correct this issue?

Outcomes