Operators; Flow Operator; Union Operator; Intersection Operator - Novell SENTINEL RAPID DEPLOYMENT 6.1 - REFERENCE GUIDE 06-15-2009 Reference Manual

3.5 Operators

Operators are used to transition between operations or expressions. The fundamental operators used
between operations are:

Flow operator

Union operator

Intersection operator

Discriminator operator
3.5.1 Flow Operator
The output set of events of the left-hand side operation is the input set of events for the right-hand
side operation. Flow is typically used to transition from one correlation operation to the next.
For example:
filter(e.sev = 5) flow trigger(3, 60)
The output of the filter operation is the input of the trigger operation. The trigger only counts events
with severity equal to 5.
3.5.2 Union Operator
The union of the left side operation output set and the right side operation output set. The resulting
output set contains events from either the left-hand side operation output set or the right-hand side
operation output set without duplicates.
For example:
filter(e.sev = 5) union filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 or e.sip = 10.0.0.1)
3.5.3 Intersection Operator
The intersection of the left side operation output set and the right side operation output set. The
resulting output set contains events that are common in both the left-hand side operation output set
and the right-hand side operation output set without duplicates.
For example:
filter(e.sev = 5) intersection filter(e.sip = 10.0.0.1)
is equivalent to
filter(e.sev = 5 and e.sip = 10.0.0.1)
44 Sentinel 6.1 Rapid Deployment Reference Guide