hi, yes, the EventGroup rule is probably the best solution for this case, since it does matching for unordered event groups. However, in order to verify that P1 is the first event to match the rule and trigger the event correlation operation, you could create a context from the 'count' field for P1. Then, you can check for the presence of this context when each S event arrives, which verifies that P1 has been observed in the past. hope this helps, risto
2011/11/4 mindman101 <mindman...@zoho.com>: > > Hello list! > I've been using SEC for a while just configuring single rules. However, now > I'm figuring out how to configure a rule that match a problem and then, > match its symptoms. I mean, for example, match the event P1 and next wait > for time window where S2|S5|S1|S3|S4 will arrive. As you can see, no matter > the arrival order. > I think the new event type EventGroup could help but how? > Thanks for your help. > Gaoke. > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Save $700 by Nov 18 > Register now > http://p.sf.net/sfu/rsa-sfdev2dev1 > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
