Matching multiple events
In a rule you can match one or more events from the same source. Once all the events match it executes the action. Two extra variables are passed into the playbook:
events
facts
Example:
condition:
all:
- event.i == 1
- event.i == 2
The variables passed into the playbook would have the following values:
{
"variables": {
"events": {
"m_0": {
"i": 1
},
"m_1": {
"i": 2
}
},
"facts": {
"m_0": {
"i": 1
},
"m_1": {
"i": 2
}
}
}
}
Example with assignments:
condition:
all:
- events.first << event.i == 1
- events.second << event.i == 2
The variables passed into the playbook would have the following values:
{
"variables": {
"events": {
"first": {
"i": 1
},
"second": {
"i": 2
}
},
"facts": {
"first": {
"i": 1
},
"second": {
"i": 2
}
}
}
}
Notes:
The same event expression cannot be used more than once. In the case below event.i == 1
has been used twice so it wont match anything:
condition:
all:
- events.first << event.i == 1
- event.i == 1
In the below case event.i == 2 has been used twice so it wont match anything:
condition:
all:
- events.saveme << event.i == 2 and event.i > 0
- event.i == 2
Once an event matches it is removed and wont match any subsequent conditions. This case would work since the event expression is different:
condition:
all:
- events.saveme << event.i == 2 and event.i > 0
- event.i == 0