[Simple-evcorr-users] Problem with supressed events

[Robert Horvath]

Hi all,

I have a small rule wich supresses the same events for 30 sec, but it acts
strange.
Here is my rule (I found the sceleton on the net):

type=EventGroup
ptype=regexp
pattern=(.*);(.*);(.*);(.*);(.*)(Msg: )(.{20})(.*)
count=lcall %ret $2 $7 -> ( sub { ++$counts{$_[0]}; } )
desc=supress_for_30_sec_$2_$7
action=none
end=lcall %ret $2 $7 -> ( sub { return delete $counts{$_[0]}; } ); \
                write /tmp/XXX ($1;$2;$3;$4;\(count:%ret\) $5$6$7$8)
window=30

I started SEC as:   sec-2.6.2/sec --detach --conf /tmp/sec.conf
--input=/tmp/log

After I sent several messages to /tmp/log:
echo "1;2000;3;4;5;6;Msg: 12345678901234567890 blahblahblah" >> /tmp/log
(waiting more than 30 sec)
echo "1;3000;3;4;5;6;Msg: 12345678901234567890 blahblahblah" >> /tmp/log
echo "1;3000;3;4;5;6;Msg: 12345678901234567890 blahblahblah" >> /tmp/log
echo "1;3000;3;4;5;6;Msg: 12345678901234567890 blahblahblah" >> /tmp/log
(waiting more than 30 sec)
echo "1;2000;3;4;5;6;Msg: 12345678901234567891 blahblahblah" >> /tmp/log
echo "1;2000;3;4;5;6;Msg: 12345678901234567892 blahblahblah" >> /tmp/log
echo "1;2000;3;4;5;6;Msg: 12345678901234567893 blahblahblah" >> /tmp/log

I got the following result:
1;2000;3;4;5;6;(count:1) Msg: 12345678901234567890 blahblahblah
1;3000;3;4;5;6;(count:3) Msg: 12345678901234567890 blahblahblah
1;2000;3;4;5;6;(count:3) Msg: 12345678901234567891 blahblahblah
1;2000;3;4;5;6;(count:) Msg: 12345678901234567892 blahblahblah
1;2000;3;4;5;6;(count:) Msg: 12345678901234567893 blahblahblah

As you can see the count of the 5th message was set to 3, and the others
were empty.

Can you help me what should be the problem with this rule?

Regards,
Robert

------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users