I have two correlation rules both deisgned to provide the same output. One is based upon standard filters and works. The other uses a script condition 'count(*)>=4' and does not.
RULE WITHOUT COUNT (WORKS)
RULE WITH COUNT (DOES NOT WORK)
The rule with the count added does not seem to produce a correlated alarm. I have tried various combinations of filtering etc. Can I have some advice?
Thanks
The rule condition apply to the buckets you've created with the 'group by'. However, using the 'trigger on single events only', I believe there are no buckets being kept in memory and as such, your condition will never match.
Have you tried to uncheck 'trigger on single events only'?
I’m afraid the only supported operators are the ones documented in https://docs.dataminer.services/user-guide/Advanced_Modules/Correlation/Correlation_rule_syntax/Condition_format.html.
However, you can add another script condition with ‘Add filter’ and combine the script & filter conditions with logical operators.
Hi Ken,
Likely you will need to add spaces near the operator.
Instead of "count(*)>=4", it should be "count(*) >= 4".
Could you give a try and verify if this works?
Documentation source: Examples of script conditions | DataMiner Docs
Hope this helps you further.
yes Ive added those space.. and thats fine…
Can this be used for example
count(*) >= 4 ! <=10
Within a single script condition, it is not possible to combine multiple conditions using ‘and’ or ‘or’.
Do see following link for more info: https://docs.dataminer.services/user-guide/Advanced_Modules/Correlation/Correlation_rule_syntax/Condition_format.html
Hi Thanks for the response. I have got it working to a fashion.. but the trigger on single events is stil checked, However, Can you put a logical operator on the script.. so for example if I want to test for count(*) >= 4 combined with count(*) =< 10 . So anything 4 to 10 inclusive.