So basically ruled_id1 and 2 are two different events. What we want to do is make sure that if there is a event for rule_id1 and an event for rule_id2 on the same host, at the same time, we don't display those and only display the events where only rule_id2 has an event. If both rule_id1 and rule_id2 have an event at the same time for the same host, those are false positives. rule_id1 and rule_id2 are the same field just different values. How to find when they occur at the same-ish time and on the same host/user and then only display the unique occurrences of rule_id2 or what is left.
... View more