Does your 2 events are the same (same source, same monitor, same slots) with different severity?
Do you have an example ?
They are actually a bit different.
We are trying to de-duplicate similar event.
Example is when a host is unreachable. It could be just a ping issue, it can also be a host being down (crashed or rebooted), ...
We want to make sure that if we have multiple similar events, we only keep a new event if it has a higher severity.
So, let's say DVL_PING is only a WARNING and comes in first, we want to also keep the HOST_DOWN which is a CRITICAL.
However, if the HOST_DOWN is the first one to come in, we would just ignore/close the DVL_PING right away since it's similar in nature.
All our logic for the de-duplication is in place, and I only need to add the severity check part - that's why I need to be able to compare them.
Let me know if this is enough info.
For me in this case you should work with correlation rules.
I'm in weekend yet but I will check Monday if I have a exemple for you