To: Yuheng Du <yuhe...@clemson.edu>
> Cc: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] set low threshold of events in a
> timewindow.
> In-Reply-To: Your message of "Tue, 22 Jul 2014 12:24:02 EDT."
> <CADJFWJ1yZut89ky8+PtjavgC=
> jjrpsftedk1h4udpwmc6fi...@mail.gmail.com>
> Reply-To: rou...@ieee.org
> ZReturn-Receipt-To: rou...@cs.umb.edu
> ZDisposition-Notification-To: rou...@cs.umb.edu
> Date: Tue, 22 Jul 2014 16:22:26 -0400
> From: "John P. Rouillard" <rou...@vm71.cs.umb.edu>
> Message-Id: <20140722202226.da05d...@vm71.cs.umb.edu>
> X-Scanned-By: MIMEDefang 2.65 on 192.168.104.3
>
>
> Hello:
>
> In message
> <CADJFWJ1yZut89ky8+PtjavgC=jjrpsftedk1h4udpwmc6fi...@mail.gmail.com> ,
> Yuheng Du writes:
>
> >I need to have a rule which can help me do the following:
> >
> >If I detect a pattern, I need to start a sliding time window and check if
> >the same pattern occurs at least once within this window.
> >
> >Here is what I do:
> >
> >type=PairWithWindow
> >ptype=RegExp
> >desc=$0
> >pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
> >continue=TakeNext
> >action=assign %deploymentId $2;\
> > create deploymentId_$2;\
> > create DEPLOYMENTID_CONTEXT;\
> > write - $2 not heard for 10s since last receive event.
> >ptype2=RegExp
> >pattern2=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
> >continue=TakeNext
> >desc2=$0
> >action2=write - $2 heart beats heard within 10s.
> >window=10
> >
> >This does not work. action 2 never gets executed even the pattern is
> >matched within 10s window.
>
> Pair rules suppress patterns if it's seen again. Since pattern and
> pattern2 are the same, the first time the event comes through, it
> starts the event, the second time an event comes through, it is
> suppressed and never hits pattern 2.
>
also, in the pairwithwindow rule the 'desc' field is set to $0 which is
generally not a good idea, since the 'desc' field defines the ID of the
event correlation operations which are started by the rule (see this
section in the official docs for full clarification:
http://simple-evcorr.sourceforge.net/man.html#lbAX)
Since the $0 variable holds the entire matching line, but lines might
contain highly volatile fields such as timestamps, each incoming line could
start a new operation. It is probably wiser to set desc=$2 (since $2 seems
to hold some sort of ID which also seems to define the scope of event
correlation).
>
> >From the sec manual:
>
> When an event has matched the conditions defined by the pattern and
> context field, SEC evaluates the operation description string given
> with the desc field. If the operation for the given string exists, it
> consumes the matching event without any action. If the operation does
>
> Off the top of my head you could do this with a single rule with
> continue=takenext and a singlewiththreshold
>
> type = single
> ...
> action = create 10 deploymentId_$2 \
> write - $2 not heard for 10s since last receive event.
>
> type = SingleWithThreshold
> thresh = 2
> window = 10
> action = delete deploymentID_$2 ; \
> write - $2 heart beats heard within 10s.
>
> The single rule create a context ( deploymentId_$2) that lives for 10
> seconds. When the context (deploymentId_$2) times out, it reports that
> two heartbeats were not seen.
>
> The SingleWithThreshold has a 10 second window in which 2 or more
> arriving heartbeats will cause it to:
>
> delete the deploymentId_$2 context, so that the message is not sent.
>
> writes the message that two heartbeats were seen.
>
> Another option may be the Eventgroup rule with:
>
> type = EventGroup
> desc = ...
> pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
> thresh = 2
> window = 10
> action = reset 0 %s; \
> write - $2 heart beats heard within 10s.
> end = write - $2 not heard for 10s since last receive event.
>
> What this is supposed to do is:
>
> when the first event comes in start a correlation operation.
>
> When the second event comes in in 10 seconds, execute "action".
> The action resets the correlation operation (hopefully not
> triggering the end action).
>
> If the 10 second window finishes and there has only been one event,
> the correlation will end and trigger the end action which will report
> that a second message has not been received.
>
> See the sec man page for further examples of EventGroup.
>
>
>
I'd like to add here that the 'reset' action will indeed not trigger the
'end'-action of EventGroup operation. In fact, it was not explicitly
mentioned in the official docs until recently, and I fixed this just couple
of weeks ago for the new 2.7.6 release.
kind regards,
risto
> I have used the single/threshold mechanism before and it should
> work. An exapnded version of this idea can be found in the section:
> "Reporting too few events in a time period" in the pdf at:
>
> http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf
>
> The EventGroup idea will probably need to be played with some more,
> but I think it can also work.
>
> - --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
