Example: Check whether there is a time delay between events
To enrich the event message, perform the following steps:
Actions used in the example
The following actions are used in the example:
- Lookup
- Variable
- Enrich
- If-Then-Else
For more information about actions, see Actions-for-advanced-and-time-based-enrichment.
To define the event selection criteria
- Select Configuration > Event Policies and click Create.
- In the Event Selection Criteria, define a condition to select events that contain the message "testTime".
The following image illustrates how the event selection criteria will look:
To learn how to construct the event selection criteria, see Creating-and-enabling-event-policies.
To build the policy workflow
On the Advanced Enrichment page, perform the following steps to build the policy workflow:
TipYou can hover over an action to view the complete label for the action as shown:
- Add the Lookup action to search for a unique event. In the Lookup Settings, select With custom criteria.
- Add the Update incoming events action.
- Add the Variable action to retrieve the current timestamp by using the CurrentTimeStamp function and to store the function value in the $currentTime variable.
- Add the Variable action to calculate the time delay (For example, 5 minutes) from the current time and to store the result of the Math function as the variable value.
- Add the If action to check if the time delay calculated in the previous step is more than the event occurrence time.
- Under Then, add an Enrich action to enrich the detailed message in the event.
- Under Else, add an Enrich action to enrich the detailed message in the event.
Results
The resulting policy workflow checks if there is a time delay between events as shown in the following image:
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*