Union Operator; Intersection Operator; Discriminator Operator; Order Of Operators - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

filter(e.sev = 5) flow trigger(3, 60)
The output of the filter operation is the input of the trigger operation. The trigger only counts events
with severity equal to 5.

4.5.2 Union Operator

The union of the left side operation output set and the right side operation output set. The resulting
output set contains events from either the left-hand side operation output set or the right-hand side
operation output set without duplicates.
For example:
filter(e.sev = 5) union filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 or e.sip = 10.0.0.1)

4.5.3 Intersection Operator

The intersection of the left side operation output set and the right side operation output set. The
resulting output set contains events that are common in both the left-hand side operation output set
and the right-hand side operation output set without duplicates.
For example:
filter(e.sev = 5) intersection filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 and e.sip = 10.0.0.1)

4.5.4 Discriminator Operator

The discriminator operator allows users to group by event fields within other event operations.
Discriminator can be used within the trigger, gate, or sequence operations. This is the last operation
when executing a condition. The input for this operator will generally be the output of other
operations, if any.
For example, this filter expression is used to identify five severity 5 events within 60s that all have
the same Source IP. Note that the attribute (SIP in this example) can be any value, even a NULL, but
it must be the same for all five events in order for the rule to fire.
filter(e.sev=5 ) flow trigger(5, 60s, discriminator(e.sip)

4.6 Order of Operators

The operator precedence (from highest (top) to lowest (bottom)) are:
48 Sentinel 6.1 Reference Guide