hi Marc, you have set the 'desc' field of the rule to $0 which holds th entire matching line. However, 'desc' field defines the event correlation operation key. The input lines tend to contain timestamps which make lines different, and therefore for every line a separate operation is started with a separate email. You could try setting 'desc' to 'low battery' -- or you could also refine your regular expression, in order to set additional match variables and use them in the 'desc' field for setting the scope of the event correlation properly. This section of the man page describes how 'desc' field works: http://simple-evcorr.sourceforge.net/man.html#EVENT%20CORRELATION%20OPERATIONS In addition, you can find a relevant discussion in the introductory section. kind regards, risto
2011/4/15 Marc MERLIN <m...@merlins.org>: > Howdy, > > I have this: > #type=SingleWithSuppress > #ptype=RegExp > #pattern=(.*low battery.*) > #desc=$0 > #action=pipe '%t: $0' /usr/bin/mail -s "sec: %s" myemail > #window=36000 > > If I enable this, I get an Email for every log line. > Somehow window=36000 (10h I was hoping), isn't having effect. > > Any idea what I'm doing wrong? > > Thanks, > Marc > -- > "A mouse is a device used to point at the xterm you want to type in" - A.S.R. > Microsoft is to operating systems & security .... > .... what McDonalds is to gourmet cooking > Home page: http://marc.merlins.org/ > > ------------------------------------------------------------------------------ > Benefiting from Server Virtualization: Beyond Initial Workload > Consolidation -- Increasing the use of server virtualization is a top > priority.Virtualization can reduce costs, simplify management, and improve > application availability and disaster protection. Learn more about boosting > the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
