Hi Risto,
Thank you.
EventGroup rule working well in my use case.
Regards,
Dusan
________________________________
Od: Risto Vaarandi <risto.vaara...@gmail.com>
Odoslané: štvrtok, 8. novembra 2018 21:15
Komu: dusan.so...@hotmail.sk
Kópia: simple-evcorr-users@lists.sourceforge.net
Predmet: Re: [Simple-evcorr-users] SingleWithThreshold reference current input
line
hi Dusan,
the problem lies in the fact that when SingleWithThreshold rule starts a
counting operation, match variables in the 'action' field receive their values
from the first event which triggered that operation (that is done for staying
consistent with substitution of variables in other fields, where values from
first event have to be used). In order to solve this issue, the best solution
is to employ EventGroup rule instead of SingleWithThreshold, since EventGroup
is a more general counting rule that supports a number of useful extensions.
One such extension is support for the 'count' field which allows for executing
action(s) on each matching event. Unlike 'action' field, match variables in
'count' field are set from *each* matching event. For example, consider the
following rule:
type=EventGroup
ptype=RegExp
pattern=.
desc=count any event
count=assign %lastline $0
action=write - %lastline
thresh=3
window=60
After each matching event, action list variable %lastline is set to the current
event, and when the third matching event is observed in 60 second time window,
this event is written to standard output. Since unlike match variables in
'action' field, action list variables like %lastline are always substituted at
action list execution, %lastline will hold the value of last matching line.
For employing this technique for your ruleset, EventGroup rule could be used in
the following fashion:
rem=Parse My Event
type=Single
ptype=RegExp
pattern=^\S+ (?<EVENT>\S+)
varmap=MY_EVENT
continue=TakeNext
desc=Parse Event
action=none
rem=Rule1
type=EventGroup
ptype=Cached
pattern=MY_EVENT
desc=Rule1 $+{EVENT}
count=assign %lastline $0
action=write - %lastline
window=60
thresh=2
When submitting three example events to this ruleset, the following output
should be displayed:
Assigning '2018-11-11T00:00:01+00:00 Event1' to variable '%lastline'
Assigning '2018-11-11T00:00:02+00:00 Event1' to variable '%lastline'
Writing event '2018-11-11T00:00:02+00:00 Event1' to file '-'
2018-11-11T00:00:02+00:00 Event1 <--- second event that was written to
standard output
Assigning '2018-11-11T00:00:03+00:00 Event1' to variable '%lastline'
Hope this helps,
risto
Kontakt Dusan Sovic (<dusan.so...@hotmail.sk<mailto:dusan.so...@hotmail.sk>>)
kirjutas kuupäeval N, 8. november 2018 kell 16:11:
Hello SEC Users,
I using SingleWithSuppress rule to process timestamped input events. I want to
take action after 2nd event occurrence within 60 seconds.
Problem what I have is that after second event match, action is taken and event
($0) is written to the output but it use timestamp of first received event
(that one what started correlation operation).
On the output I would like to see the *timestamp* of the second event or more
general whole input message of second event as is.
Let me demonstrate this on example:
Config File: ccr.sec
rem=Parse My Event
type=Single
ptype=RegExp
pattern=^\S+ (?<EVENT>\S+)
varmap=MY_EVENT
continue=TakeNext
desc=Parse Event
action=none
rem=Rule1
type=SingleWithThreshold
ptype=Cached
pattern=MY_EVENT
desc=Rule1 $+{EVENT}
action=write - $0
window=60
thresh=2
Run sec: sec -conf=./ccr.sec -input=-
Input following line:
2018-11-11T00:00:01+00:00 Event1
2018-11-11T00:00:02+00:00 Event1
2018-11-11T00:00:03+00:00 Event1
Output action:
Writing event '2018-11-11T00:00:01+00:00 Event1' to file '-'
What I want to achieve / see:
Writing event '2018-11-11T00:00:02+00:00 Event1' to file '-'
Thanks,
Dusan
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
