The support for this is currently not there, but could be added through
a change in the match variable substitution routine. This morning, I've
done some preliminary testing of this idea, using $+{:cache_entry:var}
syntax (maybe the $+{.cache_entry.var} is a better option, since : seems
to be associated with json :)
Although the idea is nice, it will introduce extra CPU time consumption
for all users, even if they are not using this particular feature. For
example, substitutions into context expressions are often done when the
matching itself is not yet complete. I hope that doing a preliminary
check for $+{: in the string with a switch to simpler regular expression
will help here.
with kind regards,
risto
On 11/05/2012 12:33 AM, John P. Rouillard wrote:
>
> On Sat, 20 Oct 2012, Risto Vaarandi wrote:
>>
>> hi David,
>> I have completed some work on the alpha version of the next release,
>
> Does this alpha release include any support for incremental parsing?
>
> Reference:
>
> http://www.mail-archive.com/simple-evcorr-users@lists.sourceforge.net/msg01120.html
>
> This would speed up parsing as I cpould write short rules that match
> key elements (host, service/daemon, pid...) and extracts that
> data. Then it would jump to a ruleset that parses the body of the
> message for additional fields. Currently I have to parse the same data
> over and over again and can't optimize the regexp by removing the
> initial fields from the regexp that I know are already there. E.G. Assume:
>
> 2012-1103T23:15:10 example.com kernel: ACCEPT 10.201.20.32 from
> 158.121.100.3 port 30
>
> I would like to have one command to parse out the: date/time, host,
> "kernel" and "ACCEPT" fields, then a set of rules/regexps that start
> with the word "from" (which can be quickly scanned for in the string)
> and a set of rule for the "from" ip address. This means I parse the
> host field only once. Not once for every "from" rule that I have.
>
> However I need the date/time, host and other data available in places
> where $N variables are now.
>
> There is another event correlation engine that does this sort of
> incrmental parsing. It allows you to parse the event and pull data
> from it before sending it to another ruleset to do finer grained
> parsing and data extraction. Wish I could remeber what the engine was
> called.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
> ------------------------------------------------------------------------------
> LogMeIn Central: Instant, anywhere, Remote PC access and management.
> Stay in control, update software, and manage PCs from one command center
> Diagnose problems and improve visibility into emerging IT issues
> Automate, monitor and manage. Do more in less time with Central
> http://p.sf.net/sfu/logmein12331_d2d
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
