hi Gary,
strictly speaking, match variables as such can not be changed, since they
are initialized after each pattern match. However, it is possible to cache
match results, and have rules which retrieve results from the match cache.
The overall idea is documented in the man page of the most recent SEC
version (this example also demonstrates couple of other ideas, such as the
application of Jump rules for creating rule hierarchies):
http://simple-evcorr.sourceforge.net/man.html#lbBD
Once you have cached match results, they become visible across all rules
and you can modify them. In order to do this, you have to use the :>
context expression operator for getting a reference to the set of cached
match variables. Once you have the reference, you can not only modify
individual variables, but you can also delete existing match variables, and
even introduce new variables (for example, $_[0]->{"newvariable"} = 1 would
set the variable $+{newvariable} to 1).
>From your post I also got an idea that maybe it is a better idea to
actually rewrite your raw input, leaving match variables aside. If you feel
you would just like to change your input with a specific rule as it comes
in, and have the rest of the rules face the modified input, have a look at
the 'rewrite' action in the SEC documentation. It would be perfect for
erasing some of the fields from your input events, and I am using this
action for the very same purpose.
kind regards,
risto
2013/6/28 Boyles, Gary P <gary.p.boy...@intel.com>
> This is something I run into all the time. I have incoming event
> (example #1 below) where I want to change the****
>
> message (or other variable) depending on how a rule executes.****
>
> ** **
>
> The only method I’m familiar with in SEC, is to halt the current event
> (continue=DontCont), and send out a new****
>
> event with the message altered in the action.****
>
> ** **
>
> My question – is there a way to change a variable in one rule, and have
> all subsequent rules use the modified variable.****
>
> ** **
>
> $1 $2 $3 $4 $5****
>
> 1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have a problem here !!!
> ****
>
> ** **
>
> I’d like to keep everything but the message ($5), but not have to send in
> another event. Is this possible?****
>
> ****
>
> 1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have had this problem
> 10 times today !!!****
>
> ** **
>
> Thanks.****
>
> ** **
>
> Gary Boyles****
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
