Hi Risto,
arghhh ... the solution for my problem is even in the man page :(
Changing "C1" and "/^#/" -> ready to go
Well ... that means ... I'm the winner of the 2011 "Did not RTFM" award.
Thank you,
-Ralf-
>From "Risto Vaarandi" <risto.vaara...@gmail.com>:
>hi Ralf,
>although there is no separate action for this purpose, the context
>event store can be filtered in various ways through several actions. I
>would assign the event store to an action list variable, pass this
>variable to a Perl code for filtering, and assign the result back to
>the context event store. Here is one example (taken from SEC man
>page):
>
>eval %funcptr ( sub { my(@buf) = split(/\n/, $_[0]); \
>my(@ret) = grep(!/^#/, @buf); return @ret; } ); \
>copy C1 %in; call %out %funcptr %in; fill C1 %out
>
>If filtering is designed to be done only in one place, using the newer
>'lcall' action would be even shorter.
>regards,
>risto
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
