hi Dusan,
the problem lies in the fact that when SingleWithThreshold rule starts a
counting operation, match variables in the 'action' field receive their
values from the first event which triggered that operation (that is done
for staying consistent with substitution of variables in other fields,
Hello SEC Users,
I using SingleWithSuppress rule to process timestamped input events. I want to
take action after 2nd event occurrence within 60 seconds.
Problem what I have is that after second event match, action is taken and event
($0) is written to the output but it use timestamp of first re