Tim,
yes, that is one way of doing this. I have slightly modified your
ruleset - it now uses 'eval' action (there is no '={}' action is sec),
and also, the %s special variable is now masked inside 'eval' (%%s):
# report every 24 hours.
type=Calendar
time=0 10 * * *
desc=Report events
action=eval %o ( \
foreach $key (sort keys %sources) { \
printf "Source %%s Frequency %d arrival rate %5.2f
\n", $key, $sources{$key}, $sources{$key}/86400; \
} \
foreach $key (sort keys %events) { \
printf "Event %%s Frequency %d arrival rate %5.2f\n",
$key, $events{$key}, $events{$key}/86400; \
} \
foreach $key (sort keys %eventsources) { \
printf "Event-sources %%s Frequency %d %5.2f\n", $key,
$eventsources{$key}, $eventsources{$key}/86400; \
} \
%sources=(); %events=(); %eventsources=(); \
)
# Look for Cisco style events
type=single
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?(%\S+-\d-\S+): .*
desc=$1:$2
action=eval %o ( $sources{"$1"}++; $events{"$2"}++;
$eventsources{"$1:$2"}++; )
br,
risto
Tim Peiffer wrote:
> I am interested in profiling events. I like making histograms of
> patterned events as a way of guiding efforts and understand what events
> are important in the logs. So how would one use SEC to profile logs to
> arrive at top-N sources, and top-N events? Below is what I am thinking.
>
> # report every 24 hours.
> type=Calendar
> time=2 0 * * *
> desc=Report events
> action= = {
> for ( sort keys %sources ) { \
> printf "Source %s Frequency %d arrival rate
> %5.2f \n", $_, $sources{$_}, $sources{$_}/86400; \
> } \
> for ( sort keys %events ) {
> printf "Event %s Frequency %d arrival rate
> %5.2f\n", $_, $events{$_}, $events{$_}/86400; \
> } \
> for ( sort keys %eventsources ) {
> printf "Event-sources %s Frequency %d %5.2f\n",
> $_, $eventsources{$_}, $eventsources{$_}/86400; \
> } \
> } ; \
> = { %sources=(); %events=(); %eventsources=(); }
>
> # Look for Cisco style events
> type=single
> continue=takeNext
> ptype=regexp
> pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?(%\S+-\d-\S+): .*
> desc=$1:$2
> context = ={ $sources{$1}++ ; $events{$2}++; $ $eventsources{"$1:$2"}++ }
> action=none
>
> Regards,
> Tim Peiffer
> Networking and Telecommunications Services
> University of Minnesota/NorthernLights GigaPOP
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
