Configuring multiple resource columns
Learn how to configure multiple resource columns.
About this task
The
repattern_multiresource_correlation_logic
parameter is used to determine how
multiple resources are checked for inclusion in a pattern. It also controls how events with similar
resources are grouped together in the Event Viewer. If resource values are similar, then the
corresponding events are grouped together in a single event group in the Event Viewer. Within EA a
similar resources can be any of the following:- Exact match: this is the default setting. The resource names must match exactly.
- Regular expression: you can define a regular expression to group together resources that match the regular expression.
- Name similarity: you can configure the system to use the name similarity mechanism. This mechanism determines whether two resource names are similar using a pattern matching algorithm that uses predefined parameters. For example, the first three characters in the resource name must be the same, or the last three characters in the resource name must be the same.
The repattern_multiresource_correlation_logic
parameter is configured with the
OR value by default. Use this procedure to change the setting.
Only change the
repattern_multiresource_correlation_logic
setting if you
understand the effects that this change will have on how the resulting groups are presented in the
Event Viewer. When OR logic is specified, it correlates two events by resource as soon as the
pattern is met for just one resource. When AND logic is specified, only "Exact match" resource
matching is used and the criteria must be met for all of the resource values.Note: If one resource field is selected per event type, the resource fields for each event type can be
different. In this case AND logic is the same as OR logic. If more than one resource field is
selected, the resource fields for each event type must be the same.
Note: Suggested patterns only use one resource field. They are never generated with multiple
resources.