I have two correlation rules both deisgned to provide the same output. One is based upon standard filters and works. The other uses a script condition 'count(*)>=4' and does not.
RULE WITHOUT COUNT (WORKS)
RULE WITH COUNT (DOES NOT WORK)
The rule with the count added does not seem to produce a correlated alarm. I have tried various combinations of filtering etc. Can I have some advice?
Thanks
The rule condition apply to the buckets you've created with the 'group by'. However, using the 'trigger on single events only', I believe there are no buckets being kept in memory and as such, your condition will never match.
Have you tried to uncheck 'trigger on single events only'?
I’m afraid the only supported operators are the ones documented in https://docs.dataminer.services/user-guide/Advanced_Modules/Correlation/Correlation_rule_syntax/Condition_format.html.
However, you can add another script condition with ‘Add filter’ and combine the script & filter conditions with logical operators.
Hi Thanks for the response. I have got it working to a fashion.. but the trigger on single events is stil checked, However, Can you put a logical operator on the script.. so for example if I want to test for count(*) >= 4 combined with count(*) =< 10 . So anything 4 to 10 inclusive.