28 Jul 2024 09:07 AM - last edited on 29 Jul 2024 08:51 AM by MaciejNeumann
Hi guys,
Customer asks to check if all services are in running status except of 3 services.
With in the Detection rules we can set positive $or for more than one service.
But when adding $not in order to negate those services we get syntax error
Also $not to $and is not acceptable and showing syntax error
Any suggestion on how to fulfill this request will be appreciate.
Thanks in advance
Yos
Solved! Go to Solution.
28 Jul 2024 10:46 AM
it seems the AureAttestService & webClient are two different services, so i believe you have to create two different rules
28 Jul 2024 10:57 AM - edited 28 Jul 2024 10:59 AM
Hi @Esam_Eid
Thanks for your suggestion, may be I didn't not explain my self clearly hence I will try again what is our goal here:
We are looking for alert on ALL services beside those 2 services ....
In other words we want to get alert if any service beside those 2 is not in running mode.
Tanks
Yos
28 Jul 2024 12:19 PM
Hi @Yosi_Neuman ,
i just created the below rule to test. the first one should be used if you want to exclude any of the services.
Second one if you want to include everything under monitoring, you just add any prefix which will never match any service name.
after testing i could see the alerts triggered for all stopped services.
28 Jul 2024 12:54 PM
Thanks again @Esam_Eid for your efforts and investigation.
Understood from your answer that we need rule for each negate
Test it also and its look working
Thanks!
Yos