Risto Vaarandi wrote: > On 01/20/2011 06:50 PM, Kim Scarborough wrote: >> Risto Vaarandi wrote: >>> As I understand, you would like to do some sort of balance checking if >>> every foo has a corresponding bar? The event correlation operations >>> that Pair and PairWithWindow rules trigger actually consume repeated >>> instances of the first event silently (in your case foo). In the case >>> of your rule, mail will only be sent if no "bar" appears at all within >>> 2 seconds after "foo". >> >> Hmm. That's actually not the behavior I'm seeing. I logged 3 foos >> followed by 3 bars, all within one second, and was sent a notification. > > Are you sure they came in exactly that order? I just tested it (in fear > that the new alpha version might contain some weird bug), but it all > worked fine for me. If you are suspecting the rule is not matching the > events it should, you could try dumping event correlation data with > SIGUSR1 signal (this would tell you if the rule has matched and started > an event correlation operation).
Okay, now I'm not duplicating this, so ignore this part fro now. > OK. Are you perhaps then dealing with a scenario where one "foo" is > never immediately followed by another one, but there is always a "bar" > between them which belongs to the first "foo"? > If that's not the case, then the task becomes somewhat blurry (and so > the solution), since it is not clear where the counting window should > begin and how exactly define imbalance. Yeah, it's the latter. What I want is this: for every foo, there must be a bar within the next 2 seconds, otherwise alert. In other words, these should not alert: ==Example #1== foo bar ==Example #2== foo foo foo bar bar bar And these should: ==Example #3== foo ==Example #4== foo foo foo bar bar Does that make sense? ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
