Hi all:
I have an event group rule where I record every event that occurs into
a context. What I would like to do is prune events that are no longer
in the window from the context. While I can use the:
slide = shift files_$1_accessed %DISCARD
action to remove the oldest entry, sometimes I get two or more lines
recorded in the same second.
Since the slide only triggers once for the two lines, I end up
accumulating extra lines that will be reported if the threshold is
crossed. While I can trim the context to include only "thresh" lines
when reporting it, I would prefer to keep the context trimmed as I go
along so status dumps (generated with a USR1 signal) would show the
events that are currently in play.
Is there some way to get the count of events in a window similar to
how I can get a window position with getwpos? I would expect to use
the (hypothetical) getwevcount similarly to:
slide = getwevcount %lines 0 ;\
getsize %evcount acl_violations ;\
lcall %remove_lines %evcount %lines -> ( sub { $_[0]-$_[1]; } ) ;\
while %remove_lines ( shift acl_violations %discard; \
lcall %remove_lines %remove_lines -> ( sub { $_[0]-1; } ) ; \
) ;
Anybody with an alternate idea on how I could get what I want?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
