In message <007301cf3cd1$868be420$93a3ac60$@gmail.com>,
"andrewarnier" writes:
>Hi ristro,
>I tried to use use timestamps in custom format as you said,
>
>type=SingleWithThreshold
>ptype=regexp
>pattern=(.+) (.+) (.+) (.+) (.+) A Spanning Tree Topology Change at
>(.+)/(.+) on VLAN (\d+)
>desc=A Spanning Tree Topology Change flapping flapping event for device $4
>at $6/$7 on VLAN $8 in 5 seconds
>action=call %time -> ( sub { my(@time) = localtime(); \
> my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
> $time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \
> return $timestamp; } )
>thresh=2
>window=6
>
>but I got the error msg as follows,
>$ perl /usr/local/sbin/sec.pl -conf=test_sec.cfg -input=-
>SEC (Simple Event Correlator) 2.4.1
>Reading configuration from test_sec.cfg
>Rule in test_sec.cfg at line 38: Variable -> does not have the form
>%<letter>[<letter>|<digit>|<underscore>]...
>Rule in test_sec.cfg at line 38: Invalid action list ' call %time -> ( sub {
>my(@time) = localtime(); my($timestamp) = sprintf( "%04d-%02d-%02d
>%02d:%02d:%02d", $time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1],
>$time[0]); return $timestamp; } ) '
>3 rules loaded from test_sec.cfg
>
>Am I missing anything?
Risto's example used lcall you used call. They are not the same.
>Andrew
>-----Original Message-----
>From: Risto Vaarandi [mailto:risto.vaara...@seb.ee]
>Sent: Monday, March 10, 2014 7:21 PM
>To: simple-evcorr-users@lists.sourceforge.net
>Subject: Re: [Simple-evcorr-users] pipe format
>
>On 03/10/2014 10:25 AM, andrewarnier wrote:
>> Hi all,
>>
>> I have set a rule as follow,
>>
>> type=PairWithWindow
>>
>> ptype1=RegExp
>>
>> pattern1=CI-16800 Carrier Loss On The LAN in FAC-(.+)-(.+)
>> \(majorServiceAffecting\),ifIndex=(.+)
>>
>> desc=Carrier Loss On The LAN in FAC-$1-$2
>>
>> action=write - Carrier Loss On The LAN in FAC-$1-$2
>>
>> ptype2=RegExp
>>
>> pattern2=CN-15600 Transport Layer Failure in FAC-(.+)-(.+)
>> \(majorServiceAffecting\),ifIndex=(.+)
>>
>> desc2= $1-$2 Transport Layer Failure in FAC-$3-$4
>> \(majorServiceAffecting\),ifIndex=$5
>>
>> action2=pipe '%t,CI-16800 <> CN-15600, CI-16800 Carrier Loss On The
>> LAN
>> FAC-$1-$2 and CN-15600 Transport Layer Failure FAC-$3-$4' /bin/mail -s
>> "Carrier Loss On The LAN" andrewarn...@gmail.com
>>
>> window=5
>>
>> then
>>
>> $ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=-
>>
>> Sun Nov 3 20:40:55 2013 .1.3.6.1.4.1.3607.6.10.30.0.220 Critical "ONS"
>> CI-16800 - CI-16800 Carrier Loss On The LAN in FAC-1-2
>> (majorServiceAffecting),ifIndex=12290
>>
>> Sun Nov 10 20:05:54 2013 .1.3.6.1.4.1.3607.6.10.30.0.3540 Major "ONS"
>> CN-15600 - CN-15600 Transport Layer Failure in FAC-3-4
>> (majorServiceAffecting),ifIndex=12293
>>
>> when match the rule ,it will pipe the message as follow to my mailbox :
>>
>> Mon Mar 10 15:46:05 2014, CI-16800 <> CN-15600, CI-16800 Carrier Loss
>> On The LAN FAC-3-4 and CN-15600 Transport Layer Failure FAC-12293-$4
>>
>> Now my problem is how to transform %t format to %Y-%m-%d %H:%M:%S and
>> get patter1 and patter2 variables
>>
>> So I want to get the message as follow :
>>
>> 2014-03-10 15:46:05 , CI-16800<> CN-15600, CI-16800 Carrier Loss On
>> The LAN FAC-1-2 ifIndex=12290 and CN-15600 Transport Layer Failure in
>> FAC-3-4 ifIndex=12293
>>
>> Can anyone give me some advice on what to do please?
>
>In order to use timestamps in custom format, I would recommend to use a sec
>action which invokes Perl code, for example
>
>action=lcall %time -> ( sub { my(@time) = localtime(); \
> my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \
> $time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \
> return $timestamp; } )
>
>As for the problems you have with match variables in the PairWithWindow
>rule, read the relevant example in the official documentation -- apart from
>standard $1, $2, ... variables you also need to use %1, %2, ...
>variables: http://simple-evcorr.sourceforge.net/man.html#lbAP
>
>(Note that this part of the docs was updated a lot in mid-January, so its
>worthwhile to take another look.)
>
>Also, recently there was a relevant discussion in the mailing list:
>http://sourceforge.net/p/simple-evcorr/mailman/message/31907966/
>
>hth,
>risto
>
>>
>> Andrew
>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- Learn Graph Databases - Download FREE O'Reilly Book "Graph
>> Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field, this
>> first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/13534_NeoTech
>>
>>
>>
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
>
>----------------------------------------------------------------------------
>--
>Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the
>definitive new guide to graph databases and their applications. Written by
>three acclaimed leaders in the field, this first edition is now available.
>Download your free book today!
>http://p.sf.net/sfu/13534_NeoTech
>_______________________________________________
>Simple-evcorr-users mailing list
>Simple-evcorr-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>----------------------------------------------------------------------------
>--
>Learn Graph Databases - Download FREE O'Reilly Book
>"Graph Databases" is the definitive new guide to graph databases and their
>applications. Written by three acclaimed leaders in the field,
>this first edition is now available. Download your free book today!
>http://p.sf.net/sfu/13534_NeoTech
>_______________________________________________
>Simple-evcorr-users mailing list
>Simple-evcorr-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/13534_NeoTech
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
