I would like to create two event sets to monitor. The source filter is the the same in both monitor sets, but the Event ID in the first one is: "All IDs" and the second set is a specific event ID.
I want the one that has ALL IDs to trigger an alarm (For now) if it occurs once in a 24 hour period and the one with the specific ID to alarm if it occurs more than 3 times in a 24 hour window.
My question is, If i create two event sets like that, will the alarm trigger if that event set occurs once, since it is still part of the "All IDs" set, OR will it only occur if it happens 3 times in one day? Taking the more restrictive of the two policies?
The most restrictive rule set is used.