Hello,
I've trying to create a rule that detects when a certain node is down, information that comes from a specific event from a log source, that summerizes the health status of all the nodes in the enviroment. The thing is that it brings all the information hourly and we have to work with it as it is. So, to view which nodes are down, we need to view when a certain node comes as "Node examplenode Unreacheable".
The thing is that we don't know how many of those instances will come in the payload. What I wanted originally is to create a iterative RegEx that matches all the nodes that are down and populates the CEP. I was told by IBM that DSM can't work with iterative RegEx and that we could parse individually each time the information appears, and then contatenate them in another CEP AQL based. The issue here is that we don't know how many will appear, as for the use of this rule is to make us aware that one, five, twenty, or all of our sensors are down. Parsing the number of sensors would be ridiculous and not optimal for the tool.
The other alternative was to use AQL to count the number of times "Unreachable" appears, and do a CEP based on this. Then the rule will trigger when its >0, and analysts can search for those instances. If it is "5", well then analysts must search specify the five nodes down. Again, IBM support said that "the only action is to do it through AQL and CONCAT the values."
We are requiered to SHOW in the detection how many nodes are down, so that's why the effort here is to provide analysts with the full information. Also, this will be useful for metrics.
Thank you!