> > > However, if you would like to suppress the output message that is > generated on 3rd input event and rather generate an output message "Events > A , B and C observed for IP 1.1.1.1" on 5th input event, it is not possible > to achieve that goal with EventGroup (or any other) rules, since after > seeing the 3rd event, it is not possible to know in advance what events > will appear in the future. In other words, SEC rules execute actions > immediately when a first matching set of events has been seen, and it is > neither possible to reprocess past events nor postpone actions in the hope > of better future match (which might never occur). > > To add one remark here -- it is possible to configure rules to store their output into context, and if a context contains more than one event, select one of these events for reporting after some event aggregation period, discarding other events. However, in this case reporting will happen with a delay which might not be acceptable for more critical events.
kind regards, risto
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
