hi John,
how about this rule:
type=EventGroup
ptype=RegExp
pattern=.
desc=match everything
count=add LINES $0; add TIMES %u
slide=getwpos %time 0; assign %true 1; while %true ( \
shift TIMES %temp; lcall %quit %temp %time -> ( sub { $_[0] >= $_[1] } ); \
if %quit ( prepend TIMES %temp; break ); shift LINES %temp2 )
action=report LINES /bin/cat
end=delete LINES; delete TIMES
thresh=3
window=10
It harnesses a separate context for keeping timestamps of stored
events, but this rule can be modified to have timestamps and events
stored into a single context. That would of course require a separate
perl code snippet for parsing out the timestamp in front of the event.
kind regards,
risto
2014/1/16 John P. Rouillard <rou...@cs.umb.edu>:
>
> Hi all:
>
> I have an event group rule where I record every event that occurs into
> a context. What I would like to do is prune events that are no longer
> in the window from the context. While I can use the:
>
> slide = shift files_$1_accessed %DISCARD
>
> action to remove the oldest entry, sometimes I get two or more lines
> recorded in the same second.
>
> Since the slide only triggers once for the two lines, I end up
> accumulating extra lines that will be reported if the threshold is
> crossed. While I can trim the context to include only "thresh" lines
> when reporting it, I would prefer to keep the context trimmed as I go
> along so status dumps (generated with a USR1 signal) would show the
> events that are currently in play.
>
> Is there some way to get the count of events in a window similar to
> how I can get a window position with getwpos? I would expect to use
> the (hypothetical) getwevcount similarly to:
>
> slide = getwevcount %lines 0 ;\
> getsize %evcount acl_violations ;\
> lcall %remove_lines %evcount %lines -> ( sub { $_[0]-$_[1]; } ) ;\
> while %remove_lines ( shift acl_violations %discard; \
> lcall %remove_lines %remove_lines -> ( sub { $_[0]-1; } ) ; \
> ) ;
>
> Anybody with an alternate idea on how I could get what I want?
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
