I would really like to be able to set a 5 or 15 second Flag/Interval time delay. This would allow us to filter events event sends 2 or 3 related syslogs all within a 1 or 2 seconds of each other but I only want to receive one alert. Our usage scenario is that each rule is scanning the syslogs from a many identical devices for a certain type of event so there is the possibility an event could fire from two different devices within 60 seconds and we would only see the alert against the first device. It's not the end of the world if we miss do miss an event because we would eventually find it elsewhere but it would be really neat if we could go below 60 seconds. Is there a way?
Thank you.