Hi Risto,
I'm sorry, I don't think I made myself clear.
Thanks for your help, but it still doesn't work. Here's the problem:
We have the following rule:
type=EventGroup2
ptype=RegExp
pattern=EVENT_TYPE_A ([\d.]+)
continue=TakeNext
ptype2=RegExp
pattern2=EVENT_TYPE_B ([\d.]+)
continue2=TakeNext
hi Agustin,
I have tried the rule from your e-mail, and I am able to get the output you
are expecting:
/usr/bin/sec --conf=test4.sec --input=-
SEC (Simple Event Correlator) 2.8.2
Reading configuration from test4.sec
1 rules loaded from test4.sec
No --bufsize command line option or --bufsize=0,
hi Agustin,
and thanks for feedback! Instead of developing one rule which addresses all
scenarios, it is better to write a separate rule for each case. For
example, for the first case EVENT_TYPE_A && EVENT_TYPE_B the rule would
look like this:
type=EventGroup2
ptype=RegExp
pattern=EVENT_TYPE_A