Hello Stewart,
You can set a counter so you may only receive alert if several events on the same rule are matched. Default is 0 which means that the first event matched will generate an alert. count must be a positive number. count has no effect on ignore rules.
2007/7/11, Stewart Larsen <stl19847 at yahoo.com>:
Not sure if this is the right place...
I have a particular error in my logs. It's not a real issus unbless I see 10 of them in a 30 minute period, so I set up a rule in the msgs section...
<msgs> <setting name="summary" value="true" /> <match logfile="Application" eventid="3317" count="10" delay="30m" /> </msgs>
Is this syntax correct?
The syntax is good but actually, count option just helps to trigger events that appear often in the last 30 minutes (your delay setting). If count is reached, msgs agent will still report all of the events because depending the rules, events can be different each other.
If you really doesn't want the event to be reported, may be you should ignore it definitively.
Regards,
-- Etienne GRIGNON