Dears,
I need to create an Event Correlation rule that performs a sequence that group by for a value and meantime count for another value.
My scope is:
sequence by user.name with maxspan=10m and count county >= 2
sequence 1
sequence 2
I couldn't find any way to do it. Could anyone help me?
Thank you.
Best regards
Hi there 
,
If I understand your use case correctly, you are not able to due this in a single rule, but you should be able to achieve it leveraging building block rules (BBR) and a threshold rule.
You would need to do this in a few parts:
county > 2 with a lookback (to - from) of 10m (as a BBR)maxspan=10 and sequence1, sequence2 (as a BBR)sequence by user.name with maxspan=10m
[any where event.kind == "signal" and kibana.alert.rule.rule_id == "<ruleA.rule_id>"]
[any where event.kind == "signal" and kibana.alert.rule.rule_id == "<ruleB.rule_id>"]
You may have to play with timing of the 2 maxspans and the lookback to get it right, but this should achieve what you are trying to do. You also don't necessarily need to use BBR's for the 2 interim rules, but if you don't, then you will get 3 alerts every time this fully completes.
Hope this helps
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.