> Hi Risto,
>
> arghhh ... the solution for my problem is even in the man page :(
>
> Changing "C1" and "/^#/" -> ready to go
>
> Well ... that means ... I'm the winner of the 2011 "Did not RTFM" award.
No problem. The man page has become quite large over the years, and
although I attempted to rewrite and shorten it for 2.6 version, the
word "page" (in singular) is highly misleading :) In fact, we are
talking about 35 pages (at least that's the result with groff -T ps
-man), so it's a larger whitepaper. And it is impossible to
permanently memorize all details you have read from such a document :)
regards,
risto
>
> Thank you,
>
> -Ralf-
>
>
>
> From "Risto Vaarandi" <risto.vaara...@gmail.com>:
>
>>hi Ralf,
>>although there is no separate action for this purpose, the context
>>event store can be filtered in various ways through several actions. I
>>would assign the event store to an action list variable, pass this
>>variable to a Perl code for filtering, and assign the result back to
>>the context event store. Here is one example (taken from SEC man
>>page):
>>
>>eval %funcptr ( sub { my(@buf) = split(/\n/, $_[0]); \
>>my(@ret) = grep(!/^#/, @buf); return @ret; } ); \
>>copy C1 %in; call %out %funcptr %in; fill C1 %out
>>
>>If filtering is designed to be done only in one place, using the newer
>>'lcall' action would be even shorter.
>>regards,
>>risto
>>
>
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
