on Jan 28, 2015I know report engine rule has list option or watchlist option to use in report engine where statement. What is the name called in ESA 10.4? Does it exists?
I know report engine rule has list option or watchlist option to use in report engine where statement. What is the name called in ESA 10.4? Does it exists?
How would this work for IP addresses? I tried the following which didn't work at all.
create variable string[] iplist =
{
'10.0.0.1',
'10.0.0.2',
'10.0.0.3',
'10.0.0.4'
};
SELECT * FROM Event(ip_dst IS ANY(iplist));
Hi Drew,
IP addresses in Esper are also strings, so what you have is good. To have the condition trigger and display an alert. You need to add the @RSAAlert annotation above that statement. Using your example above:
create variable string[] iplist =
{
'10.0.0.1',
'10.0.0.2',
'10.0.0.3',
'10.0.0.4'
};
@RSAAlert
SELECT * FROM Event(ip_dst IS ANY(iplist));
Cheers,
Lee
Thanks Lee. That worked well.
I tested further, and even though I had the @RSAAlert reference, it wouldn't work if it preceded the CREATE VARIABLE statement. Only when I moved it down would it work.
How large is the list that you want to use?
You could look into using a Feed on the Decoder to generate a piece of Meta that you reference in your ESA rules.
Or you could look into declaring an array variable within the EPL itself:
create variable string[] mylist =
{
'Peter',
'Lee',
'Julie',
'George'
};
SELECT * FROM Event(user_dst IS ANY(mylist));