] SingleWithThreshold reference current input
line
hi Dusan,
the problem lies in the fact that when SingleWithThreshold rule starts a
counting operation, match variables in the 'action' field receive their values
from the first event which triggered that operation (that is done for staying
consistent
hi Dusan,
the problem lies in the fact that when SingleWithThreshold rule starts a
counting operation, match variables in the 'action' field receive their
values from the first event which triggered that operation (that is done
for staying consistent with substitution of variables in other
Hello SEC Users,
I using SingleWithSuppress rule to process timestamped input events. I want to
take action after 2nd event occurrence within 60 seconds.
Problem what I have is that after second event match, action is taken and event
($0) is written to the output but it use timestamp of first
