Hi John,
I was using the event group method to check the interval between events. So
I use:
type=EventGroup
ptype=RegExp
thresh=2
window=10
pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
desc=CHECK_INTERVAL_$2
action=assign %deploymentId $2;\
create deploymentId_$2;\
create DEPLOYMENTID_CONTEXT;\
reset 0 %s;\
write - $2 heart beats heard within 10s.
end=write - $2 not heard for 10s since last receive event.
When I sent two events within 10s:
"deploymentId" => dsrgdeployment#srb_2",
"deploymentId" => dsrgdeployment#srb_2",
It gives me : "srb_2 heart beats heard within 10s".
But the second event did not trigger an end action like "srb_2 not heard
for 10s since last receive event", which I hope it should do.
Can anyone help?
Thanks.
On Tue, Jul 22, 2014 at 5:25 PM, Risto Vaarandi <risto.vaara...@gmail.com>
wrote:
>
>
>
> To: Yuheng Du <yuhe...@clemson.edu>
>> Cc: simple-evcorr-users@lists.sourceforge.net
>> Subject: Re: [Simple-evcorr-users] set low threshold of events in a
>> timewindow.
>> In-Reply-To: Your message of "Tue, 22 Jul 2014 12:24:02 EDT."
>> <CADJFWJ1yZut89ky8+PtjavgC=
>> jjrpsftedk1h4udpwmc6fi...@mail.gmail.com>
>> Reply-To: rou...@ieee.org
>> ZReturn-Receipt-To: rou...@cs.umb.edu
>> ZDisposition-Notification-To: rou...@cs.umb.edu
>> Date: Tue, 22 Jul 2014 16:22:26 -0400
>> From: "John P. Rouillard" <rou...@vm71.cs.umb.edu>
>> Message-Id: <20140722202226.da05d...@vm71.cs.umb.edu>
>> X-Scanned-By: MIMEDefang 2.65 on 192.168.104.3
>>
>>
>> Hello:
>>
>> In message
>> <CADJFWJ1yZut89ky8+PtjavgC=jjrpsftedk1h4udpwmc6fi...@mail.gmail.com> ,
>> Yuheng Du writes:
>>
>> >I need to have a rule which can help me do the following:
>> >
>> >If I detect a pattern, I need to start a sliding time window and check if
>> >the same pattern occurs at least once within this window.
>> >
>> >Here is what I do:
>> >
>> >type=PairWithWindow
>> >ptype=RegExp
>> >desc=$0
>> >pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
>> >continue=TakeNext
>> >action=assign %deploymentId $2;\
>> > create deploymentId_$2;\
>> > create DEPLOYMENTID_CONTEXT;\
>> > write - $2 not heard for 10s since last receive event.
>> >ptype2=RegExp
>> >pattern2=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
>> >continue=TakeNext
>> >desc2=$0
>> >action2=write - $2 heart beats heard within 10s.
>> >window=10
>> >
>> >This does not work. action 2 never gets executed even the pattern is
>> >matched within 10s window.
>>
>> Pair rules suppress patterns if it's seen again. Since pattern and
>> pattern2 are the same, the first time the event comes through, it
>> starts the event, the second time an event comes through, it is
>> suppressed and never hits pattern 2.
>>
>
> also, in the pairwithwindow rule the 'desc' field is set to $0 which is
> generally not a good idea, since the 'desc' field defines the ID of the
> event correlation operations which are started by the rule (see this
> section in the official docs for full clarification:
> http://simple-evcorr.sourceforge.net/man.html#lbAX)
> Since the $0 variable holds the entire matching line, but lines might
> contain highly volatile fields such as timestamps, each incoming line could
> start a new operation. It is probably wiser to set desc=$2 (since $2 seems
> to hold some sort of ID which also seems to define the scope of event
> correlation).
>
>
>>
>> >From the sec manual:
>>
>> When an event has matched the conditions defined by the pattern and
>> context field, SEC evaluates the operation description string given
>> with the desc field. If the operation for the given string exists, it
>> consumes the matching event without any action. If the operation does
>>
>> Off the top of my head you could do this with a single rule with
>> continue=takenext and a singlewiththreshold
>>
>> type = single
>> ...
>> action = create 10 deploymentId_$2 \
>> write - $2 not heard for 10s since last receive event.
>>
>> type = SingleWithThreshold
>> thresh = 2
>> window = 10
>> action = delete deploymentID_$2 ; \
>> write - $2 heart beats heard within 10s.
>>
>> The single rule create a context ( deploymentId_$2) that lives for 10
>> seconds. When the context (deploymentId_$2) times out, it reports that
>> two heartbeats were not seen.
>>
>> The SingleWithThreshold has a 10 second window in which 2 or more
>> arriving heartbeats will cause it to:
>>
>> delete the deploymentId_$2 context, so that the message is not sent.
>>
>> writes the message that two heartbeats were seen.
>>
>> Another option may be the Eventgroup rule with:
>>
>> type = EventGroup
>> desc = ...
>> pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
>> thresh = 2
>> window = 10
>> action = reset 0 %s; \
>> write - $2 heart beats heard within 10s.
>> end = write - $2 not heard for 10s since last receive event.
>>
>> What this is supposed to do is:
>>
>> when the first event comes in start a correlation operation.
>>
>> When the second event comes in in 10 seconds, execute "action".
>> The action resets the correlation operation (hopefully not
>> triggering the end action).
>>
>> If the 10 second window finishes and there has only been one event,
>> the correlation will end and trigger the end action which will report
>> that a second message has not been received.
>>
>> See the sec man page for further examples of EventGroup.
>>
>>
>>
> I'd like to add here that the 'reset' action will indeed not trigger the
> 'end'-action of EventGroup operation. In fact, it was not explicitly
> mentioned in the official docs until recently, and I fixed this just couple
> of weeks ago for the new 2.7.6 release.
> kind regards,
> risto
>
>
>> I have used the single/threshold mechanism before and it should
>> work. An exapnded version of this idea can be found in the section:
>> "Reporting too few events in a time period" in the pdf at:
>>
>> http://www.cs.umb.edu/~rouilj/sec/sec_paper_full.pdf
>>
>> The EventGroup idea will probably need to be played with some more,
>> but I think it can also work.
>>
>
>> - --
>> -- rouilj
>> John Rouillard
>>
>> ===========================================================================
>> My employers don't acknowledge my existence much less my opinions.
>>
>>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users