a week ago
Hi everyone,
We're currently facing an issue with an EPL rule in RSA NetWitness that isn't triggering as expected. The rule is designed to detect a specific sequence of events (Event ID 778 followed by Event ID 780), but the timer in the rule seems to be malfunctioning, causing the alert not to fire when expected.
Here's what we have so far:
timer:within(600 Sec)
, but the rule still isn't triggering correctly.We've checked the following:
Has anyone faced a similar issue with the timer configuration in RSA NetWitness, or could anyone provide guidance on how to adjust the timer or rule logic to get this working?
Any help or insights would be greatly appreciated!
Thank you!
the code i try : @RSAAlert
SELECT * FROM pattern[
every a = Event(
(device_type = 'windows') AND
(reference_id = '778')
)
-> (not Event(
(device_type = 'windows') AND
(reference_id = '780') AND
time > a.time
) where timer:within(600 Sec))
];
a week ago - last edited a week ago
I'm a little new to EPL but maybe the issue is a missing .win.time(). Check out my version of your rule. See if this helps.
the code i try : @RSAAlert
SELECT * FROM pattern[
every a = Event(
(device_type = 'windows') AND
(reference_id = '778')
)
-> (not Event(
(device_type = 'windows') AND
(reference_id = '780') AND
time > a.time
) where timer:within(600 sec))
].win.time(650 sec);
I'm using the following two EPL pages as reference.
https://esper.espertech.com/release-4.10.0/esper-reference/html/event_patterns.html
https://esper.espertech.com/release-5.2.0/esper-reference/html/epl-views.html#view-win-time
a week ago
Thanks for your suggestion! I tried implementing the .win.time(650 sec)
adjustment in the rule, but unfortunately, it's still not working as expected.
I received a validation error, and it seems that .win.time()
cannot be used after the pattern block in this case, which is causing the issue.
and now the alert fire automatic and not on timer at all.
Thanks again for your help!
a week ago
I mistyped. Try .win:time(650 sec) in the same location I provided before. The second period was supposed to be a colon.