Hi, guys!
How can I use a logical OR operator in ‘Field content condition’? Is this possible to make something like ‘if event_id contains value ‘1’ or ‘2’ raise an alert’? Can someone help?
I tried a lot of queries: (4720 OR 636), 4720 OR 636, ^(4720|636)$ and etc.
Hey @ioneyaqoo,
AFAIK, this is not possible. But a fix is simple, just create two Field Content Alert Conditions on the same stream 
Greetings - Phil
I believe you could also set up a stream that looks at the winlogbeat_event_id and matches to regular expression.
The regex would be something like (1|2). Then you would set up an alert to look at the message count in that stream.
I haven’t tested this and am unsure if it would actually work, but I don’t see why not!
Regards,
G
Thank you, Phil.
I knew about this option before I created the topic.
I just wanted to make the contents of the page with alerts conditions more readable, without duplicate conditions for each event.
Thanks, G
I tested this scenario before and it works, but still need a lot of streams for each event group.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
