# logfile /var/log/paloalto/threat.log

watchfor /TRAFFIC,end,[^,]+,[^,]+,([^,]+),([^,]+),/
  threshold track_by=$1:$2,type=limit,count=1,seconds=60
  pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 10.69.100.14 3"

watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/
  threshold track_by=$1:$2,type=limit,count=1,seconds=60
  pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 10.69.100.14 3"