Having gone through the Orion sources and having the few questions answered by the folks the frequent this discussion group I figured I would post my observations (or mis-observations...is that a word?)
I notice that with the Orion sources I have a more streamlined way of defining how events are handled. I can create a list of rules based off of different criteria that will allow for me to route issues to the appropriate support group all in a single Orion source.
The same does not appear to be true for the email sources, it seems that for each email that may enter into the SAC email acct I need to configure it as a separate source. I.E. for alerts that would be more Network related I need to create a source blah_blag_bloob_network, and try to build a catch all for the network related alerts, for software/application alerts build a catchall for blah_application_blah and route to the appropriate team. Is this by design? Am I completely off the mark with this and missing how I should configure email sources? has anyone else seen this and thought "my, that is an inconvenience"
Is there a plan in the future to make the email sources more of a scan for this text and if it is there route to x, elif this is the text route to y. model?