I am creating EPL rule, where I want to take 2 type of events - one type has user.src and the second type has different identification of user in custom meta, for which I add user.src using a custom feed, but it can have also empty user.src if the feed doesn't match on it.
Then I need to group generated alerts into incident grouped by user.src.
The problem is that no incidents are generated for alerts having no user.src when I am grouping by user.src in the incident. Thus I want to use the custom meta (secondary user identification) in cases when user.src is empty.
I got to an idea to set user_src to value of custom meta in EPL in case when user_src doesn't exist, but I don't know how to achieve that. Is there any way how to do it?
I tried for example this:
SELECT *, coalesce(user_src,custom_meta_name,'UNKNOWN_USER') as user_src FROM Event( some filters);
But that won't deploy, as user_src is returned twice in the result. Listing also all possible keys from Event instead of *, while replacing user_src with coalesce expression also doesn't sound like the best way.
Then I tried saving the result of SELECT to EventStream and update the user_src in EventStream (using UPDATE command) before using it to create event by SELECT * from EventStream, but that didn't reploy too (problem was in UPDATE command, it probably doesn't work in EPL like in SQL)
Any solution for this?