Conway Allen wrote: > Hello, > > > > I've just started trying to come to grips with SEC so please bear with me… > > > > I've been using SEC 2.5.1. > > > > It seems to me that there's something counter-intuitive in the way > SingleWith2Thresholds works. Suppose that you're looking the xyz > sequence and you set up a SingleWith2Thresholds rule with threshold = 3 > and window = 5. Suppose the following messages arrive: > > > > 409 xyz/1 > > 413 xyz/2 > > 417 xyz/3 > > 419 xyz/4 > > 423 xyz/5 > > 425 xyz/6 > > 427 xyz/7 > > > > where the 1st column shows the last part of the time values representing > the time SEC sees them. > > > > The action associated with the lower threshold of 3 is executed when > xyz/7 arrives but if the action involves writing to a file $0, for > instance, what I find in the file is xyz/1 and not the xyz/5 as I would > expect. > > > > Having looked at the source code I understand why this is the case but I > don't understand why it should be the case! > > > > I expect that SingleWithThreshold has exactly the same behaviour. This > troubles me!
Allen, IMHO, the use of $0 variable makes in most cases sense only if you are correlating messages with a rule where the action is executed immediately after a match has been found. In other words, the action gets executed on one match only when it is clear that $0 is set by this particular match. If the action is triggered by the multiple matches, the $0 variable is inherently ambiguous. SEC always sets $0 and other variables when the event correlation operation starts which is the most simple and efficient way for handling match values (otherwise we would have to store the pattern match values from all matches, and even then it is not clear which particular value to prefer for $0). If you would like to fetch an N-th matching line when action is executed, I'd recommend to employ a separate context for keeping matching lines in memory. When an action is triggered from SingleWith2Thresholds, you can use 'report' to access the content of the context and extract the N-th line. As an example, here is a small ruleset: type=Single continue=TakeNext ptype=RegExp pattern=xyz desc=store xyz lines action=add XYZLINES $0 type=SingleWithThreshold ptype=RegExp pattern=xyz desc=count xyz (and report the 4th matching line) action=report XYZLINES tail -n 2 | head -n 1; delete XYZLINES thresh=5 window=10 br, risto ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
