This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

EPL Advanced Rule

OmarGarciaGilio
Beginner
Beginner

‎2016-09-29 07:10 PM

Hi everyone,

 

I need help with one advanced EPL rule. I have the follow LOG estructure:

   event_time, ec_activity, event_log

 

I need an alert when i have two (or more) events that have the same value of 'ec_activity' but diferent value of 'event_log' in a time frame of 10 minutes.

 

I looked the web info of EPL rules and try it with this one:

 

SELECT * FROM Event(
device_type = 'trafmako' AND ec_activity IS NOT NULL AND event_log IS NOT NULL
).std:groupwin(event_log).win:time_length_batch(10 Minutes, 2).std:unique(ec_activity) group by event_log having count(*) = 2;

 

saddly not work. I really appreciate any help.

0 Likes
2 REPLIES 2

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2016-09-30 07:02 AM

Hi Omar,

 

The following should fit your needs:


SELECT * FROM Event(ec_activity IS NOT NULL AND event_log IS NOT NULL).std:groupwin(ec_activity).win:time_batch(10 min).std:unique(event_log) GROUP BY ec_activity HAVING COUNT(*) >1;

 

It will look for two or more of the same ec_activity metadata but different event_log metadata.

 

Cheers,

Lee

Anonymous
Not applicable

‎2016-09-30 04:55 PM

Hi Omar - 

 

Did that take care of your issue? 

 

Also, was there a specific reason you were trying to use event_time in your rule? Rather than esa_time? 

 

Thanks!

 

Corey

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.