Example: Check whether there is a time delay between events

To enrich the event message, perform the following steps:

1. Define the event selection criteria.
2. Build the policy workflow.

Actions used in the example

The following actions are used in the example:

• Lookup
• Variable
• Enrich
• If-Then-Else

For more information about actions, see Actions for advanced and time-based enrichment.

To define the event selection criteria

1. Select Configuration > Event Policies and click Create.
2. In the Event Selection Criteria, define a condition to select events that contain the message "testTime".

The following image illustrates how the event selection criteria will look:

To learn how to construct the event selection criteria, see Creating and enabling event policies.

To build the policy workflow

On the Advanced Enrichment page, perform the following steps to build the policy workflow:

Success

TipYou can hover over an action to view the complete label for the action as shown:

1. Add the Lookup action to search for a unique event. In the Lookup Settings, select With custom criteria.
   
   
   
2. Add the Update incoming events action.
   
   
3. Add the Variable action to retrieve the current timestamp by using the CurrentTimeStamp function and to store the function value in the $currentTime variable.
   
   
   
4. Add the Variable action to calculate the time delay (For example, 5 minutes) from the current time and to store the result of the Math function as the variable value.
   
   
   
5. Add the If action to check if the time delay calculated in the previous step is more than the event occurrence time.
   
   
   
6. Under Then, add an Enrich action to enrich the detailed message in the event.
   
   
   
7. Under Else, add an Enrich action to enrich the detailed message in the event.
   

Results

The resulting policy workflow checks if there is a time delay between events as shown in the following image: