First of all sorry for my english, is really bad, :-S
Does anybody know is it possible to concatenate data from multiple different base event fields into a single field in a correlated event?
We are doing a rule that search for blocked users events. The rule search for 4 events in 30 seconds. So, we need to put all the destinationUserNames of these base events concatenated for example in the destinationUserName field of the correlated event, to send a notification with this information. Is this posible?
Thanks in advance for your help,
Did you try a match / join rule? and match on the events within the time frame?
Can you give me more detail or an example about the match / join rule that you talking about? Because I can´t figured out how to make it.
Thanks for your help.
I didn´t understand you when you talkme about a match / join rule. I already did that type of rule, and the problem that I´m having is that the 4 events that I´m using are the same, and I don´t exactly know how can I "consume" the event after the first match. The first event match with the second event, the third event, and the fourth event But after that the second event match with the third event, the fourth and the first event again. And then , I have a lot of correlated events, no just one, and the base events are four.
I´m attach the rule, so you can see it and give me your advice:
I forgot that mention that I´m already tried the "Consume after match" option on each event (in the screenshot you don´t see it because I´m doing some tests and I forgot it to put that option again before do the screenshots).
With the "Consume after match" option, I down the correlated events from hundreds to 24 correlated events when te rule fire.
Thanks in advance,