hi Edward,
the task you have can be addressed with the help of context aliases. The
following simplistic rule sets up a context and an alias for an observed
event. The alias will suppress further events with the same FRQ number,
but if an event with different number comes in, the context is deleted
(which also gets rid of the previous alias!) and recreated with an alias
for new FRQ number:
type=Single
ptype=RegExp
pattern=([\d.]+) 0 latest frq (\d+)
desc=FRQ $2 event from IP $1
context=!FRQ_$2_FROM_$1
action=write - %s; delete FRQ_FROM_$1; \
create FRQ_FROM_$1; alias FRQ_FROM_$1 FRQ_$2_FROM_$1
Note that having the main context associated with IP only allows for
erasing alias for previous FRQ number, even though the number is not
memorized explicitly.
Finally, lets thank John Rouillard for proposing the idea of having
context aliases couple of years ago :)
kind regards,
risto
On 04/28/2011 11:41 PM, Gleeck, Edward Joseph. (GSFC-444.0)[CAELUM
RESEARCH CORP] wrote:
>
> First off, SEC rocks! We’ve been using it for quite some time.
>
> I was hoping to get some help in regards to creating a specific set of
> rules.
>
> Here’s what I have. I would like to know when an event changes. Consider
> the following events:
>
> Apr 22 2004 127.0.0.0 0 latest frq 0
> Apr 22 2004 127.0.0.0 0 latest frq 0
> Apr 22 2004 127.0.0.0 0 latest frq 0
> Apr 22 2004 127.0.0.0 0 latest frq 2
> Apr 22 2004 127.0.0.0 0 latest frq 3
> Apr 22 2004 127.0.0.0 0 latest frq 3
> Apr 22 2004 127.0.0.0 0 latest frq 4
>
> I would like to take action when frq changes from 0 to 2 or from 3 to 4.
> I’m not interested in the same values. NOW, to complicate matters these
> types of events aren’t the only ones we are receiving, so, our events
> now look like:
>
> Apr 22 2004 127.0.0.0 0 latest frq 0
> Other events
> Apr 22 2004 127.0.0.0 0 latest frq 0
> Other events
> Other events
> Apr 22 2004 127.0.0.0 0 latest frq 0
> Apr 22 2004 127.0.0.0 0 latest frq 2
> Apr 22 2004 127.0.0.0 0 latest frq 3
> Apr 22 2004 127.0.0.0 0 latest frq 3
> Other events
> Apr 22 2004 127.0.0.0 0 latest frq 4
>
> If the events we’re receiving only contains the latest frq events, then
> I could easily compare that using sub {$_[0] ne $_[1]}, but it’s not.
>
> Any help would be much appreciated.
>
> Thanks,
> Edward
>
>
>
> ------------------------------------------------------------------------------
> WhatsUp Gold - Download Free Network Management Software
> The most intuitive, comprehensive, and cost-effective network
> management toolset available today. Delivers lowest initial
> acquisition cost and overall TCO of any competing solution.
> http://p.sf.net/sfu/whatsupgold-sd
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
