On 10/12/2012 07:47 PM, Boyles, Gary P wrote:
> John,
> Thanks for the information.
>
> Is it possible to set %xx variables as part of a pattern return, or $n, or is
> that also just reserved for "action" statements.
>
> For example... this code works, but I'd like to retain the node and class
> name, and send back to SEC for use by other rules. Any idea on how that
> would be accomplished?
>
> This works... but how to retain node and class in $1 and $2, or %node_class
> ???
assigning node and class to match variables can be done quite easily --
instead of "return 1", return the list of relevant values which will
then be mapped to match variables in the order given in the list. For
example,
return ($myNode, $myClass);
would assign the value of $myNode to $1 and $myClass to $2.
Also, in your example below, $1 would be assigned 1.
The only case where return value(s) are not assigned to match variables
is when you return a value from function which evaluates false in Perl
boolean context (that's the case for 0 and empty string). Since this is
an indication the Perl function pattern did *not* match the event, match
variables will not be set.
with kind regards,
risto
>
> type=Single
> continue=DontCont
> ptype=perlfunc
> pattern=sub { \
> my(@myLine) = (); \
> my($myNode) = "0"; \
> my($myClass)= "0"; \
> @myLine = split(/\s+::\s+/, $_[0]); \
> if (defined($myLine[1])) { $myNode = $myLine[1]; } \
> if (defined($myLine[2])) { $myClass = $myLine[2]; } \
> if ( exists $suppressTbl{$myNode}) \
> { if ($suppressTbl{$myNode} =~ /$myClass|0/i) { return 1; } } \
> return 0; \
> }
> desc=NodeAndClassSuppress::$0
> action=write /sec/log/sec.suppress.log %s
>
>
> Thanks again for your help!
>
>
>
> -----Original Message-----
> From: John P. Rouillard [mailto:rou...@cs.umb.edu]
> Sent: Friday, October 12, 2012 9:23 AM
> To: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] Use Of lcall.
>
>
> In message
> <eddf5556138a864f836192f6d101812a110c6...@fmsmsx104.amr.corp.intel.c
> om>, "Boyles, Gary P" writes:
>
>> Question on "lcall"...
>>
>> Is "lcall" a keyword for the action statement only (i.e. one of the
>> action->list keywords)?
>
> Yes.
>
>> I tried to use it with pattern, and it doesn't seem to recognize it there.
>
> To call perl from a pattern, I think you have to use a *perlfunc ptype.
>
> Now that said, I believe:
>
> if a rule run on startup does an:
>
> eval %f { sub fooble {do something;} }
>
> I think the later use of:
>
> type = ...
> ptype = perlfunc
> pattern = sub (&fooble (arg1, arg2) )
>
> or some modification of that should work as all the user supplied
> functions are compiled into the same namespace IIRC.
>
> Somebody who has done more work with the SEC/perl interface will no
> doubt have a better idea, or be able to prove I am talking
> foolishness.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
