Hi,
I have a problem with the following "PairWithWindow" rule. It's either my
logic, a bug, or the way I understand the rule should work.
Here is the rule in question:
type=PairWithWindow
window=60
continue=GoTo END_CORRELATE_PAIR_WITH_WINDOW
ptype=RegExp
pattern=(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(.*)\s+::\s+(\S+.*)
context=($4 $5) -> ( sub { if ( defined $correlate1{"$_[0]::$_[1]::60"}) {
return 1;} })
desc=Correlate1_PWW_60_A::$2::$4::$5
action=write /sec/log/sec.main.log %u %s; write /sec/log/sec.main.log %u $1 ::
$2 :: $3 :: $4 :: $5 :: $6 :: $7
continue2=GoTo END_CORRELATE_PAIR_WITH_WINDOW
ptype2=RegExp
pattern2=(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(\S+)\s+::\s+(.*)\s+::\s+(\S+.*)
context2=(%4 %5 $4 $5) -> ( sub { if ( $correlate1{"$_[0]::$_[1]::60"} =~
/$_[2]::$_[3]/i) { return 1;} })
desc2=Correlate1_PWW_60_B::%2::$2::%4::$4::%5::$5
action2=write /sec/log/sec.main.log %u %s; write /sec/log/sec.main.log %u $1 ::
$2 :: $3 :: $4 :: $5 :: $6 :: $7
The hoped-for logic is as follows:
I send in events in the following format:
# Timestamp NodeName Class Monitor Severity Route Message
# --------- -------- ----- -------- -------- ------ -------
# $1 :: $2 :: $3 :: $4 :: $5 :: $6 :: $7
If an event comes in from nodeA and it matches monitorA::CRITICAL::60 in the
"correlate1" table, then the PairWithWindow starts.
Since "desc=" includes node::monitor::severity I assumed that events with
different nodes would start different "PairWithWindow" instances.
If I send in another event from nodeB, and it matches monitorA::CRITICAL::60 in
the "correlate1" table, then another PairWithWindow starts (as expected).
If I do another event from nodeC - yet another PairWithWindow instance starts.
If after 60 seconds no matching event for any PairWithWindow occurs... then
"action" occurs for events nodeA, nodeB, and nodeC - as expected (see log
below)
However, if I initiate all PairWithWindow events above, and initiate ONE
"pattern2" option below... then ALL "action2" actions
get executed. Not just the instance that pertains to a single node.
Now, I can fix this by adding the nodes to the "correlate1" hash-table key, but
I didn't think this is the way to handle this.
I had thought... that since I had node-name described in the "desc="
definition, that the events would be separated by node::monitor::severity,
and not just the monitor::severity.
Is this not the case. If not... how is "desc=" used?
Thanks for your help.
Regards,
Gary
(Log-File Output Below)
(this is what happens if I wait for 60-second timer to expire)
1362155066 Correlate1_PWW_60_A::gpbuxA::gpbMonitor4::CRITICAL
1362155066 00 :: gpbuxA :: class :: gpbMonitor4 :: CRITICAL :: i=:n=:a=: ::
Test Message
1362155071 Correlate1_PWW_60_A::gpbuxB::gpbMonitor4::CRITICAL
1362155071 00 :: gpbuxB :: class :: gpbMonitor4 :: CRITICAL :: i=:n=:a=: ::
Test Message
1362155077 Correlate1_PWW_60_A::gpbuxC::gpbMonitor4::CRITICAL
(this is what happens when I send in ONE event that matches pattern2 for either
A,B, or C... all 3 seem to unwind together)
1362155077 00 :: gpbuxC :: class :: gpbMonitor4 :: CRITICAL :: i=:n=:a=: ::
Test Message
1362155281
Correlate1_PWW_60_B::gpbuxB::gpbuxB::gpbMonitor4::gpbMonitor4::CRITICAL::OK
1362155281 00 :: gpbuxB :: class :: gpbMonitor4 :: OK :: i=:n=:a=: :: Test
Message
1362155281
Correlate1_PWW_60_B::gpbuxC::gpbuxB::gpbMonitor4::gpbMonitor4::CRITICAL::OK
1362155281 00 :: gpbuxB :: class :: gpbMonitor4 :: OK :: i=:n=:a=: :: Test
Message
1362155281
Correlate1_PWW_60_B::gpbuxA::gpbuxB::gpbMonitor4::gpbMonitor4::CRITICAL::OK
1362155281 00 :: gpbuxB :: class :: gpbMonitor4 :: OK :: i=:n=:a=: :: Test
Message
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
