Hi guys,
I want to do a correlation between event so If I heard/not heard a message
coming from the same machine within 10s, I need to got notified.
I am using an EventGroup rule to do this:
type=EventGroup
ptype=RegExp
thresh=2
window=10
pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
desc=CHECK_INTERVAL_$2
action=assign %deploymentId $2;\
create deploymentId_$2;\
create DEPLOYMENTID_CONTEXT;\
write - $2 heart beats heard within 10s.
slide=reset 0 %s;
end=write - $2 not heard for 10s since last receive event.;\
create $2_HEARTBEAT_TIMEOUT;\
event $2 not heard for 10s.
However, the pattern can only identify messages coming form ANY
deploymentId, while I want it to identify any messages coming from a
SPECIFIC deploymentId.
like in:
"deploymentId" => deployment#srb_2",
"deploymentId" => deployment#srb_4",
"deploymentId" => deployment#srb_2",
I only want to correlate messages coming from srb_2 alone or srb_4 alone.
Anyone have a suggestion how I can do it with eventgroup rule?
Or I should just switch to single/singlewiththreshold method as John
suggested in list
http://sourceforge.net/p/simple-evcorr/mailman/message/32640664/ ?
Thanks!
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
