Karim Benzina

Detect a loss of logs from a device IP

Discussion created by Karim Benzina on Dec 13, 2016


 I tried ESA rule template example which detects sudden loss of traffic from sadocs ESA documentation.



Unfortunally, it does not work in my environement. Here is the EPL :SELECT * FROM pattern [every a = Event(device_ip IN ('IP_X1','IP_X2') AND medium = 32) -> (timer:interval(3600 seconds) AND NOT Event(device_ip = a.device_ip AND device_type = a.device_type AND medium = 32))];


Could you please help me understand why this is not working ?