Risto,
Thanks. That did it. I keep forgetting that "desc" is not just for an
internal description.
I changed the rule to the following, and it now works perfectly.
type=SingleWithSuppress
continue=TakeNext
ptype=RegExp
pattern=^(\d+)\s+::\s+(\S+)\s+::\s+(\S+).*$
context=($3) -> ( sub { \
if ( defined $dup_detect_class_300{$_[0]} ) { return 1; } \
else { return 0; } } )
window=300
desc=dup_detect_class_300_sec_And_Go::$2::$3
action=write /sec/log/sec.main.log %u $0
Thanks again.
Gary Boyles, Intel
-----Original Message-----
From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
Sent: Thursday, November 01, 2012 2:12 PM
To: Boyles, Gary P
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] SingleWithSuppress Question.
hi Gary,
the scope of event suppression is entirely set with the 'desc' field
of the rule. Each time a new event comes in, 'desc' is evaluated and
combined with the rule file name and rule number. If there is an event
correlation operation already running for the resulting value, event
is consumed by this operation, otherwise a new operation is started.
Since you have used $0 in 'desc' which equals to entire line, each
unique line will create a new suppression operation.
There is also a section discussing this matter in the official
documentation:
http://simple-evcorr.sourceforge.net/man.html#EVENT%20CORRELATION%20OPERATIONS
The regular expression itself seems to work properly to me -- I'd use
the ^ anchor for ensuring that the matching starts from the begininng
of the line:
^(\d+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)
with kind regards,
risto
2012/11/1 Boyles, Gary P <gary.p.boy...@intel.com>:
> Hi,
>
> I'm using SingleWithSuppress to suppress events. However, I want to ignore
> the message (normally in $7) in this determination.
>
> Currently, it seems to take the entire line into account.
>
>
>
> Is there a way to discount the message? What I want to do is only report
> one event for each node ($2) and each "class" ($3).
>
> In the example the class is APP_XYZ. Message is text "My Dog Has...".
>
>
>
> Is there a way of structuring the Regex so that this will work? Otherwise,
> it comes down to context perl code.
>
>
>
> My input-format and my rule are listed below.
>
>
>
> Thanks.
>
>
>
> Gary Boyles, Intel
>
>
>
> Input Events:
>
> 1351784591 :: fmssrvdev002 :: APP_XYZ :: myXYZ :: CRITICAL :: NOTIFY :: My
> Dog Has Flees (994)
>
> 1351784591 :: fmssrvdev002 :: APP_XYZ :: myXYZ :: CRITICAL :: NOTIFY :: My
> Dog Has Flees (995)
>
> 1351784591 :: fmssrvdev002 :: APP_XYZ :: myXYZ :: CRITICAL :: NOTIFY :: My
> Dog Has Flees (996)
>
> 1351784591 :: fmssrvdev002 :: APP_XYZ :: myXYZ :: CRITICAL :: NOTIFY :: My
> Dog Has Flees (997)
>
> 1351784591 :: fmssrvdev002 :: APP_XYZ :: myXYZ :: CRITICAL :: NOTIFY :: My
> Dog Has Flees (998)
>
> 1351784591 :: fmssrvdev002 :: APP_XYZ :: myXYZ :: CRITICAL :: NOTIFY :: My
> Dog Has Flees (999)
>
>
>
> Rule:
>
> type=SingleWithSuppress
>
> continue=TakeNext
>
> ptype=RegExp
>
> pattern=(\d+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+).*$
>
> context=($3) -> ( sub { \
>
> if ( defined $dup_detect_class_300{$_[0]} ) { return 1; } \
>
> else { return 0; } } )
>
> window=300
>
> desc=dup_detect_class_300_sec_And_Go :: $0
>
> action=write /sec/log/sec.main.log %u %s
>
>
>
>
>
> Just as an FYI... the $dup_detect_class_300 array has an entry for APP_XYZ.
>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
