Cardinality on message

kommradHomer · September 1, 2020, 7:36am

Hello ,
I have messages like

“trying cardinality:[3,5,7]”
“trying cardinality:[3]”
“trying cardinality:[3,5,7]”
“trying cardinality:[5,7]”
“trying cardinality:[3,5,7]”

these are in the “message” and “fullmessage” .
I’m trying to create an event definition , that catches if cardinality of these messages above are greater than 2. But I see no events generated.

Does cardinality not work on strings ? or if I simply have some number in the message like “trying cardinality:1234” , how do I run the cardinality on the numeric part of the message ?

ttsandrew · September 1, 2020, 11:21pm

Hello @kommradHomer, welcome!

You can use an extractor to copy the numeric portion of the message into its own field and then create an event definition against that. Personally I am partial to regex extractors but there are many options available, just be sure to set one up and then apply a numeric transformation to the field once the number is extracted.

system · September 15, 2020, 11:20pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.