Thank you Risto. I will take a look and try to apply what you are saying to my
rules. This looks like a good way.
I'm sure I will have more questions.
Have a nice weekend !!!
From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
Sent: Friday, June 28, 2013 11:31 AM
To: Boyles, Gary P
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] Variable Replacement for a specific event.
hi Gary,
strictly speaking, match variables as such can not be changed, since they are
initialized after each pattern match. However, it is possible to cache match
results, and have rules which retrieve results from the match cache. The
overall idea is documented in the man page of the most recent SEC version (this
example also demonstrates couple of other ideas, such as the application of
Jump rules for creating rule hierarchies):
http://simple-evcorr.sourceforge.net/man.html#lbBD
Once you have cached match results, they become visible across all rules and
you can modify them. In order to do this, you have to use the :> context
expression operator for getting a reference to the set of cached match
variables. Once you have the reference, you can not only modify individual
variables, but you can also delete existing match variables, and even introduce
new variables (for example, $_[0]->{"newvariable"} = 1 would set the variable
$+{newvariable} to 1).
>From your post I also got an idea that maybe it is a better idea to actually
>rewrite your raw input, leaving match variables aside. If you feel you would
>just like to change your input with a specific rule as it comes in, and have
>the rest of the rules face the modified input, have a look at the 'rewrite'
>action in the SEC documentation. It would be perfect for erasing some of the
>fields from your input events, and I am using this action for the very same
>purpose.
kind regards,
risto
2013/6/28 Boyles, Gary P
<gary.p.boy...@intel.com<mailto:gary.p.boy...@intel.com>>
This is something I run into all the time. I have incoming event (example #1
below) where I want to change the
message (or other variable) depending on how a rule executes.
The only method I'm familiar with in SEC, is to halt the current event
(continue=DontCont), and send out a new
event with the message altered in the action.
My question - is there a way to change a variable in one rule, and have all
subsequent rules use the modified variable.
$1 $2 $3 $4 $5
1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have a problem here !!!
I'd like to keep everything but the message ($5), but not have to send in
another event. Is this possible?
1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have had this problem 10
times today !!!
Thanks.
Gary Boyles
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
