The Conditions in the Alert Policies of Enterprise Alert are really powerful. You can combine multiple single conditions with “AND” or “OR” links in order to get more complex conditions
The following provides some guidance about how to create those kinds of more complex conditions.
1. Create some initial conditions
To create new conditions, just create a new or change an already existing alert policy. Press the “Add Condition” button in the headline to add a new condition with the desired event parameter, type of condition and value to match.
2. Select the conditions you would like to link
Select the desired conditions that you want to link by clicking onto the conditions and thus highlight them.
3. Link the conditions
Click the button “Link Conditions AND” or “Link Conditions OR” in the headline for the desired link type. This will then link the selected conditions with “AND” or “OR”.
4. Repeat the actions above to link other conditions as desired
As shown below you are able to link all required conditions in the same way.
5. Linking on the next level
To link already linked conditions you have to select them all, i.e. in the example below you have to select the two “AND” conditions as well as all sub-conditions to their right.
6. Create the new conditions and link them with already linked onesClick onto the button in the headline for the desired link action and your conditions will be linked accordingly.You can then add further conditions and link them up in the same was.
This allows you to create most complex conditions in order to filter event data.