Hi!
I'm trying to write an ESA alert to trigger under de following conditions:
ESA recieves an event from device_type = 'device' and a user_src is 'username' with a meta = 'cond01' or meta = 'cond02'... this event also has a "number" meta and NO event with the following conditions arribes to ESA within 20 seconds: device_type = 'device' and meta = 'cond03' and the same number as the first event. The rule is as follows:
@Name('Test Rule')
@RSAAlert(oneInSeconds=0)SELECT * FROM pattern
[Every a = Event(
(device_type.toLowerCase() IN ( 'device' ) AND user_src.toLowerCase() IN ( 'username' ) AND meta.toLowerCase() IN ( 'cond01' , 'cond02' ) ) )
-> (timer:interval(20 seconds) and not Event(device_type.toLowerCase() IN ( 'device' ) AND number= a.number AND meta.toLowerCase()='cond03'))];
the rule work fine, but it aggregates all the events within the same alert and I need one alert for each time that the first event is matched (the device produces several first conditions with different "number")
Sorry if I'm not clear, but I'm a little lost with this.
Hey Max,
Try the following code:
@Name('Test Rule')INSERT INTO alertStreamSELECT * FROM pattern @SuppressOverlappingMatches
[Every(a = Event(device_type.toLowerCase() IN ( 'device' ) AND user_src.toLowerCase() IN ( 'username' ) AND meta.toLowerCase() IN ( 'cond01' , 'cond02' ) ) )
-> (timer:interval(20 seconds) and not Event(device_type.toLowerCase() IN ( 'device' ) AND number= a.number AND meta.toLowerCase()='cond03'))];
@RSAAlertSELECT * FROM alertStreamThis will insert the alerts into a temporary stream which we then select from. This should mean each alert will not be aggregated together, but instead, be an individual alert.
Cheers,
Lee