I really need help with this problem as soon as possible. When I’m in the event definition and choose “Create Events for Definition if filter has results,” for example, Event Limit at 1 or any number, the fields in my Microsoft Teams and my emails are filled with the information from the log.
However, when I choose “Create Events for Definition if Aggregation of results reaches a threshold,” for example, a count of 2 for example if only device vendor is trend micro and the event_class_id 393 appearing twice, because I only want to get notified when one of the events appears twice in the last 10 minutes, my fields in Teams or email notifications are not getting filled. How can I fix this problem?
I hope my Screenshots provide you guys with enough information, if you need more let me know. But i dont know, what could I do to fix this problem. (Please ignore the ,Search within the last 5xx Hours, so i just did not have to trigger an Event all time again to test the Notification)
I would appreciate it, if someone could help me please
Im away from my computer today, but Im fairly certain that you can only get field values that are used in the group by of the aggregation, or the output of the aggregation themselves (count=5). Because its an aggregation each message could have a different value in that field, so what value is it supposed to use in the message is the issue.
So if I understand it correctly, it depends on what I choose for the “Group By” of the aggregation? Should it be the same as the “Fields”? And okay, the output you mean will just give me the number for which I adjust the threshold, like = 3, so it will give me 3 back, right?
Have you taken al look at the aggregation function to do this. At firts you need to have an Search Query that works, and after that you can create a aggregation that counts up to the messages within a period. Your period should be 10 minutes, and repeated every minute if 2 massages within 10 minutes is what is needed.
Yes i already look at the aggregation function and I have an Query that works, and yes I know how to count up to the messages. But I think you dont understand what i want in my Thread. Because it seems like my problem can not be fixed, I spoke with people and they told me already, that it is not possible to get the information what i needed like in the attaced screenshot with the Aggregation and its only possible to get like the counter of like how many messages, matches the query in like the last 10 minutes and so on. But thank you very much for your time
Im away from my computer today, but Im fairly certain that you can only get field values that are used in the group by of the aggregation, or the output of the aggregation themselves (count=5). Because its an aggregation each message could have a different value in that field, so what value is it supposed to use in the message is the issue.
I try to print any field in my above code. I just can not print anything apart from message. Can not print any data fields
