Hi,
Perhaps some of the messages are outside of the time window.
Hard to tell without seeing the real data.
Regards,
Botond
On Mon, 29 Aug 2016 18:26:25 +0200
Antonio Cuesta García <antoniocuest...@hotmail.com> wrote:
> What could be the problem?
> Regards,
> Antonio.
>
> From: antoniocuest...@hotmail.com
> To: b...@nxlog.com; nxlog-ce-users@lists.sourceforge.net
> Subject: Threshold evcorr
> Date: Fri, 26 Aug 2016 22:37:54 +0200
>
>
>
>
> Hi!
>
> I have a problem. I have this:
>
> ######################
>
> #para escribir fuera
> <Extension fileop>
> Module xm_fileop
> </Extension>
>
> <Input in4>
> Module im_file
> File "/home/antonio/Descargas/sn"
> SavePos TRUE
> Exec if ($raw_event =~ /^\d\d:\d\d:\d\d.(.+)/) { \
> $Message = $1; \
> $raw_event = $Message; \
> }
>
>
>
> </Input>
>
>
> <Output out4>
> Module om_file
> File "/home/antonio/Descargas/nx"
> </Output>
>
> <Processor evcorr>
> Module pm_evcorr
>
> <Thresholded>
> exec if $Message =~ /IP (\S{1,}) > \S{1,}:/ $IP=$1;
> Condition $Message =~ /ICMP echo reply/
> Threshold 150
> Interval 120
> Context $IP
> Exec file_write("/home/antonio/Descargas/otro", "150 ECHO REPLY
> packets from host" +$IP +"\n");
> </Thresholded>
>
> </Processor>
>
> <Route 4>
> Path in4 => evcorr => out4
> </Route>
>
> #############
>
>
> When 200 lines come to the "sn" file with "ICMP echo reply ", in the file
> "otro" appear 48 lines , when they should appear only 1 due to Thresholded
> and I not know why.
>
> Why can it be?
>
> Thanks!
>
>
>
>
>
>
>
------------------------------------------------------------------------------
_______________________________________________
nxlog-ce-users mailing list
nxlog-ce-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
