AnsweredAssumed Answered

ESA - Match on Multiple Occurrences of a Single Meta-Key?

Question asked by Drew Contractor on Jun 22, 2018
Latest reply on Jun 25, 2018 by Nick Mikhal

Hi,

 

I want to build an ESA alert that will trigger on any single event where multiple instances of the error meta-key are present in the event metadata.

 

As an example,

 

feed.name    =    "investigation"
analysis.file    =    
error    =    
error    =    
error    =    

 

I've already tried numerous approaches but nothing seems to work. Also, I found it interesting to note that the error meta-key is of type string and not a string array.

 

Any suggestions would be welcomed and appreciated. Thanks in advance.

Outcomes