Hi Risto:
In message
<cagfjscpwzfevya4aakrb41bs7dxp3a+9sqytnsgb9dey5yg...@mail.gmail.com> ,
Risto Vaarandi writes:
>how about this rule:
>
>type=EventGroup
>ptype=RegExp
>pattern=.
>desc=match everything
>count=add LINES $0; add TIMES %u
>slide=getwpos %time 0; assign %true 1; while %true ( \
> shift TIMES %temp; lcall %quit %temp %time -> ( sub { $_[0] >= $_[1] } );
>\
> if %quit ( prepend TIMES %temp; break ); shift LINES %temp2 )
>action=report LINES /bin/cat
>end=delete LINES; delete TIMES
>thresh=3
>window=10
>
>It harnesses a separate context for keeping timestamps of stored
>events, but this rule can be modified to have timestamps and events
>stored into a single context. That would of course require a separate
>perl code snippet for parsing out the timestamp in front of the event.
Ah I didn't think of having a second context with the times. I'll give
that a shot and see if I can make it work with my ruleset.
Thanks.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
