Re: [Simple-evcorr-users] Selective deletion from context

Thu, 13 Oct 2011 09:35:56 -0700 

hi Ralf,
although there is no separate action for this purpose, the context
event store can be filtered in various ways through several actions. I
would assign the event store to an action list variable, pass this
variable to a Perl code for filtering, and assign the result back to
the context event store. Here is one example (taken from SEC man
page):

eval %funcptr ( sub { my(@buf) = split(/\n/, $_[0]); \
my(@ret) = grep(!/^#/, @buf); return @ret; } ); \
copy C1 %in; call %out %funcptr %in; fill C1 %out

If filtering is designed to be done only in one place, using the newer
'lcall' action would be even shorter.
regards,
risto

2011/10/13  <ral...@arcor.de>:
> Hi SEC users,
>
> it is easy to add something to  a context with:
>
>   add <context name> <string>
>
> But how can I delete a single entry from an existing context?
>
> Let's say … I have the context "MYCONTEXT" with 3 entries:
>
> AAA
> BBB
> CCC
>
> and I want to delete "BBB" from "MYCONTEXT".
>
> Is there a function/method to:
>
>   delete <context name> <string>   (like: "delete MYCONTEXT BBB")
>
> Thanks,
> -Ralf-
>
> ------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2d-oct
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to