I am interested in profiling events. I like making histograms of
patterned events as a way of guiding efforts and understand what events
are important in the logs. So how would one use SEC to profile logs to
arrive at top-N sources, and top-N events? Below is what I am thinking.
# report every 24 hours.
type=Calendar
time=2 0 * * *
desc=Report events
action= = {
for ( sort keys %sources ) { \
printf "Source %s Frequency %d arrival rate
%5.2f \n", $_, $sources{$_}, $sources{$_}/86400; \
} \
for ( sort keys %events ) {
printf "Event %s Frequency %d arrival rate
%5.2f\n", $_, $events{$_}, $events{$_}/86400; \
} \
for ( sort keys %eventsources ) {
printf "Event-sources %s Frequency %d %5.2f\n",
$_, $eventsources{$_}, $eventsources{$_}/86400; \
} \
} ; \
= { %sources=(); %events=(); %eventsources=(); }
# Look for Cisco style events
type=single
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?(%\S+-\d-\S+): .*
desc=$1:$2
context = ={ $sources{$1}++ ; $events{$2}++; $ $eventsources{"$1:$2"}++ }
action=none
Regards,
Tim Peiffer
Networking and Telecommunications Services
University of Minnesota/NorthernLights GigaPOP
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
