Sven, if you would like to verify that a certain event appears once in N seconds, and generate an alert if the event is NOT there, you could use the following solution (the ruleset is just a rough example, but hopefully it conveys the idea):
type=Calendar time=* * * * * desc=heartbeat check action=event HEARTBEAT_CHECK type=PairWithWindow ptype=SubStr pattern=HEARTBEAT_CHECK desc=No heartbeat has been observed action=write - %s ptype2=SubStr pattern2=MYEVENT desc2=heartbeat OK action2=none window=120 The first rule generates the HEARTBEAT_CHECK synthetic event once in 60 seconds. This event is matched by the second rule which starts an event correlation operation that waits for the event MYEVENT. If MYEVENT will not arrive within 120 seconds, the operation writes an alert message "No heartbeat has been observed" to standard output. If you would like to check if MYEVENT is present at least N times in a time window T, you could implement a SingleWithThreshold operation for that which generates the synthetic event SUFFICIENT_NUMBER_OF_MYEVENTS, if MYEVENT has been observed for N times in window T. This event could then be matched by the PairWithWindow rule as described above. However, in that case some subtleties remain -- the counting window for SingleWithThreshold is sliding; also, the action is executed when threshold N is reached, *not* at the end of the counting window. Fortunately, SingleWithThreshold rule has an optional 'action2' parameter which suits exactly for the taking an action when the counting window ends. Hope that this helps, risto On 04/30/2010 01:48 PM, Sven Leupold wrote: > Hi > > I wonder how I could implement a rule that triggers an action if a > pattern did not appear OR less than MIN times for a time period n. > > Thanks a lot in advance > > Sven > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
