> From: Peter Kravtsov <[email protected]> > Subject: [Simple-evcorr-users] Threshold rules based on regexp count of a > matched keyword > To: "[email protected]" > <[email protected]> > Date: Thursday, April 16, 2009, 9:04 PM > > > Threshold rules based on regexp count of a matched > keyword > > > Example: > > foo A > > foo B > > foo B > > > > Desired: > > Match when foo X occurs N times over time window, but the > matching line needs to remember the keyword matched on. So > if the threshold is 2 times, then raise an event on a second > “foo B” -- not on the first one. > > > > Is this possible? >
If I've got your question correctly, there is a simple solution for this. All you have to do is to select the right value for the rule's 'desc' parameter that defines the scope of event correlation. For example, if you are using regular expression patterns, you can extract relevant data from the event and use them in the 'desc' field. In your case, the solution would look like this: pattern=foo (\S) desc=Count the occurrences of $1 The regular expression pattern gets the character that follows the "foo" string and assigns it to $1. Since the $1 variable is present in the 'desc' field, 'desc' is different for distinct characters, and since 'desc' is used for calculating event correlation keys, for each distinct character there will be a separate counting operation. See the SEC man page for a more detailed discussion -- it contains a thorough explanation what event correlation operations are and how their scope is determined. br, risto > > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > Stay on top of everything new and different, both inside > and > around Java (TM) technology - register by April 22, and > save > $200 on the JavaOne (SM) conference, June 2-5, 2009, San > Francisco. > 300 plus technical and hands-on sessions. Register today. > Use priority code J9JMT32. http://p.sf.net/sfu/p > -----Inline Attachment Follows----- > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Stay on top of everything new and different, both inside and around Java (TM) technology - register by April 22, and save $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. 300 plus technical and hands-on sessions. Register today. Use priority code J9JMT32. http://p.sf.net/sfu/p _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
