Do I understand correctly that you would like to check certain fields of json events received from sec inputs? If so, I'd recommend to take advantage of the PerlFunc pattern for parsing these events. Almost two years ago, there was a discussion in the mailing list which concerned json events specifically, and I submitted sample rules for parsing json: http://sourceforge.net/p/simple-evcorr/mailman/message/30058671/
In the parsing rules, JSON::decode_json() function is invoked which stores its results into a perl hash. It is straighforward to check specific keyword-value pairs inside this hash, and include these check within the same PerlFunc pattern. Also, if you don't care about flattening json structure and setting SEC match variables, you can omit the flatten() function from this example altogether, which will make this ruleset really short. Hope this helps, risto From: Yuheng Du [mailto:yuhe...@clemson.edu] Sent: Tuesday, August 19, 2014 3:41 PM To: Risto Vaarandi Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] Single with Script variable return Hi Risto, The array is intialized and created as the input of SEC. It is of the Json format. Thanks. Yuheng On Tue, Aug 19, 2014 at 4:29 AM, Risto Vaarandi <risto.vaara...@gmail.com> wrote: 2014-08-18 22:37 GMT+03:00 Yuheng Du <yuhe...@clemson.edu>: Hi Guys, Is there any method to the return value of a script in SingleWithScript rule? I have 8 readings in an array and I want to return which (one or many) specific items in that array is exceptional using a perl script. Then based on the return value of the script, I want to decide my actions. So I need to return an integer to my rule in order to decide the action. Can I use SingleWithScript rule to do this? Or is there any other methods? Where exactly is this array created and how it is initialized? Since there is no straightforward way to fetch a child process exit code from rules, it might be simpler to have a PerlFunc pattern for executing the perl code and setting the array. However, if the perl code involves time-consuming external queries, I'd not recommend PerlFunc pattern, since it is not executed asynchronously. In that case, you could try the 'spawn' action for executing the perl script, and communicate with SEC by generating synthetic events from perl script. If you prefer to use SingleWithScript, you can also use the following strategy -- write the exit code value into a file, and have 'if () else ()' statements in your action list for executing different actions based on the content of the file. hope this helps, risto Thanks. best, Yuheng ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
