One of my biggest desires right now is for more advanced control over when rules fire. Particularly, I have an event that will generate anywhere from 1 to 10 entries each time it occurs. I want to be alerted each time this event occurs, but I do not want to receive 10 alerts for the same event. I can't configure it to watch for a specific number of event entries, because I do not know how many it will generate each time, and to my knowledge, there is not an option to ignore further event entries that are generated at the same time as the original. The only way to do that would be to use a correlation, but since correlations require more than one event entry, it would require a minimum of 2 distinct entries before my rule would fire, and I would miss some of the events.
↧