Hi All,
I have a request for a rule-set that does the following:
1. An event comes in with "node" in $2, class NFS_IS_Slow in ($4), severity
in ($5), and source in ($10).
2. The request is for an event of this class ($4) from node ($2) to change the
severity ($5) from CRITICAL to HARMLESS.
3. This is fairly easy to do... with the following rule:
type=Single
continue=DontCont
ptype=perlFunc
pattern=sub { my (@parseStr) = split/ :: /, $_[0]; return (@parseStr); }
context=!(NFS_STOP::$2::$10) && ($4 $5) -> (sub { my $class = $_[0]; my
$severity = $_[1]; \
if ($class =~ /nfs_slow/i && $severity eq "CRITICAL") { return 1; } else {
return 0; } } )
desc=NFS_Slow_To_HARMLESS::$2::$10
action=write %SEC_HOME/log/EC.main.log %u %s ;
\
event $1 :: $2 :: $3 :: $4 :: HARMLESS :: $6 :: $7 :: $8 :: $9 :: $10
:: $11 :: $12 :: $13 :: $14
More Info:
I have a request to keep the severity of CRITICAL - if the "source" ($10) is
different for two events.
Question:
Is there an easy way to set the context "NFS_STOP::$2::$10" if the source ($10)
changes?
I've got perl-code that sets this in a rule, and this rule is placed before the
one above,
but I was looking for a simple way to evaluate a previous event/context and set
the context
below without using a lot of perl code.
Summary:
1. I use the rule above to change/replace the severity from CRITICAL to
HARMLESS.
2. But I also need to NOT do that (i.e. deactivate the rule) if $10 is
different for two events.
Thanks.
Gary Boyles
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
