perl operations on a hash are surprisingly efficient. If you store your context
in a hash, it can be very efficient to add/remove/check specific items. What is
not efficient is aging things out based on time.
David Lang
On Thu, 2 Apr 2020, Richard Ostrochovský wrote:
Date: Thu, 2 Apr 2020
re: multi-line rules, my thought is to convert the newlines to some escape
sequence and then treat the results as a single line.
I tend to not want to run SEC on each system as it can impact that system (both
CPU utilization and disk I/O). Instead I make SEC part of the log processing
Hi Risto,
thank you for the solution. There is also concern about potential
performance impact in case of e.g. thousands of files being added by
addinput with creating extra context for each of them.
Another way could be e.g. maintaining (associative) array in action list,
with keys of paths to
Hello guys,
thank you for many tips. I have carefully read through e-mails from
Clayton, Risto, John, David, and Dusan, and I am summary reacting to all of
it with this e-mail, as more reactions were in similar spirit.
To my primary question: I am satisfied, that log messages are not lost on
hi all,
SEC FAQ has received couple of updates:
*) Q24 (https://simple-evcorr.github.io/FAQ.html#24) that describes the use
of 'addinput' and 'dropinput' actions has been updated with a second
example about tracking log files with timestamps in file names,
*) new entry Q27