Hello, you definitely described my scenario better than me. This is the one i’m after: 0, 2, 23, 54 -- events at minutes 2 and 23 should be suppressed, but the event at minute 54 should trigger an action, since it happens 31 minutes after the event 23 0, 11, 32, 44, 61 -- events at minutes 11, 32 and 44 should be suppressed, since they are separated by less than 30 minutes, but the event at minute 61 should trigger an action, since the suppression can't last for longer than 1 hour Any ideas ? M.
Da: Risto Vaarandi <risto.vaara...@gmail.com> Inviato: martedì 14 marzo 2023 15:52 A: Spelta Edoardo <edoardo.spe...@beta80group.it> Cc: simple-evcorr-users@lists.sourceforge.net Oggetto: Re: [Simple-evcorr-users] Duplicate suppression and rearming hi Mugugno, let me clarify your scenario a bit, considering the diagram from your post: T1---------------------------T27-----------T30-------------------T57-------------T60----------T61 Event suppr suppr suppr suppr suppr Event Do you want the suppression to start after the time moment T1 when the first event was observed and run for 1 hour, so that this window would not be sliding? Or do you rather want the time window between two *consecutive* events to be less than N minutes in order to suppress them, so that suppression would work during max 1 hour? For example, suppose N=30minutes and consider the following events happening at these minutes: 0, 2, 23, 54 -- events at minutes 2 and 23 should be suppressed, but the event at minute 54 should trigger an action, since it happens 31 minutes after the event 23 0, 11, 32, 44, 61 -- events at minutes 11, 32 and 44 should be suppressed, since they are separated by less than 30 minutes, but the event at minute 61 should trigger an action, since the suppression can't last for longer than 1 hour I would appreciate it if you could provide some additional comments on your scenario. kind regards, risto Hello, i’ve recently been struggling with SEC to implement something for this specific use case: suppressing specific entries read from a syslog for a certain amount of time (say 30min) but make sure that after a longer time (say 1h), if they are still being received, i’m getting a new one. If these events are being received continously they will always be suppressed because the windows will be sliding accordingly but i’m trying to find a way to make it stop after 1h The sequence should look like this: T1---------------------------T27-----------T30-------------------T57-------------T60----------T61 Event suppr suppr suppr suppr suppr Event I tried combining a SingleWithSuppress (which is ok for the suppression part) and context expiration but i cannot find a working solution. Anybody already faced this use case ? Any help appreciated! Thanks and regards, Mugugno _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users