The reason for #1 is that the timestamp on your LEM appliance might be more than 1 second off of the timestamp from the workstation/server where the event is occurring. The response window is used to tell LEM how "tolerant" to be of clock drifts and how close events need to be for them to be considered (we don't want to fire a real-time rule on yesterday's news).
↧
