The effect you are seeing is caused by the rule ordering and more specific patterns appearing later in the rule chain. Lets have a closer look into the first two rules:
type=Single ptype=SubStr pattern=set desc=$0 action= set TESTCTX 60 type=Single ptype=SubStr pattern=setaction desc=$0 action= set TESTCTX 60 ( write - "setaction : TEXTCTX expired at %t" ) When you inspect the 'pattern' fields more closely, it is easy to see that whatever matches the second rule will always match the first rule, because any line that contains the substring "setaction" will also contain the substring "set". Since the lines matched by a rule are not passed to following rules by default (unless you have modified the default behavior with the 'continue' keyword), the second rule will never see any input. However, if we change the 'pattern' field of the second rule to pattern=changeaction, it produces the expected effect, since this time the first rule doesn't capture relevant events: sec-2.7.7/sec --conf SEC-misc/bond.rules --input - SEC (Simple Event Correlator) 2.7.7 Reading configuration from SEC-misc/bond.rules 5 rules loaded from SEC-misc/bond.rules No --bufsize command line option or --bufsize=0, setting --bufsize to 1 Opening input file - Interactive process, SIGINT can't be used for changing the logging level create Creating context 'TESTCTX' changeaction Changing settings for context 'TESTCTX' obsolete Obsoleting context 'TESTCTX' Deleting stale context 'TESTCTX' Writing event '"setaction : TEXTCTX expired at Fri Oct 16 10:52:30 2015"' to file '-' "setaction : TEXTCTX expired at Fri Oct 16 10:52:30 2015" Stale context 'TESTCTX' deleted As a less efficient alternative, you can also set the 'continue' field of the first rule to 'TakeNext' which will invoke the 'set' action twice for TESTCTX, with the first action changing only the lifetime and the second adjusting both the lifetime and the action list. Hope this helps, risto 2015-10-16 2:54 GMT+03:00 Bond Masuda <bond.mas...@jlbond.com>: > I'm not getting the behavior I was expecting, so wanted to ask about > 'set'. I've read the man page that says: > > *set <name> <time> [<action list>]* Change settings for the context > <name>. The creation time of the context is set to the current time, and > the lifetime of the context is set to <time> seconds. If the <action list> > parameter is given, the context action list is set to <action list>. The > <name> parameter may not contain whitespace and defaults to %s. The <time> > parameter must evaluate to an unsigned integer or hyphen (-) at runtime. > Specifying 0 for <time> means infinite lifetime. If <time> equals to -, the > creation time and lifetime of the context are not changed. If <action list> > contains several actions, the list must be enclosed in parentheses. In > <action list>, the internal context name _THIS may be used for referring to > the current context (see INTERNAL EVENTS AND CONTEXTS section for a > detailed discussion). When i try to set the action list on a context that > already has an action list, it does not accept (no errors either) the > change by 'set' action. The context retains the original action list. > > This is my test SEC rule file: > > type=Single > ptype=SubStr > pattern=set > desc=$0 > action= set TESTCTX 60 > > type=Single > ptype=SubStr > pattern=setaction > desc=$0 > action= set TESTCTX 60 ( write - "setaction : TEXTCTX expired at %t" ) > > type=Single > ptype=SubStr > pattern=test > desc=$0 > action= exists %have_TESTCTX TESTCTX; \ > if %have_TESTCTX ( \ > write - "TEXTCTX context exists" \ > ) > > type=Single > ptype=SubStr > pattern=create > desc=$0 > action= create TESTCTX 60 ( write - "original : TEXTCTX expired at %t" ) > > type=Single > ptype=SubStr > pattern=obsolete > desc=$0 > action= obsolete TESTCTX > > > > > Here's the output when I run the above test rules: > > # sec -conf=./test.sec -input=- > SEC (Simple Event Correlator) 2.7.7 > Reading configuration from ./test.sec > 5 rules loaded from ./test.sec > No --bufsize command line option or --bufsize=0, setting --bufsize to 1 > Opening input file - > Interactive process, SIGINT can't be used for changing the logging level > create > Creating context 'TESTCTX' > test > Checking the presence of context 'TESTCTX' > Variable '%have_TESTCTX' set to '1' > Writing event '"TEXTCTX context exists"' to file '-' > "TEXTCTX context exists" > set > Changing settings for context 'TESTCTX' > test > Checking the presence of context 'TESTCTX' > Variable '%have_TESTCTX' set to '1' > Writing event '"TEXTCTX context exists"' to file '-' > "TEXTCTX context exists" > setaction > Changing settings for context 'TESTCTX' > test > Checking the presence of context 'TESTCTX' > Variable '%have_TESTCTX' set to '1' > Writing event '"TEXTCTX context exists"' to file '-' > "TEXTCTX context exists" > obsolete > Obsoleting context 'TESTCTX' > Deleting stale context 'TESTCTX' > Writing event '"original : TEXTCTX expired at Thu Oct 15 19:45:39 2015"' > to file '-' > "original : TEXTCTX expired at Thu Oct 15 19:45:39 2015" > Stale context 'TESTCTX' deleted > create > Creating context 'TESTCTX' > obsolete > Obsoleting context 'TESTCTX' > Deleting stale context 'TESTCTX' > Writing event '"original : TEXTCTX expired at Thu Oct 15 19:46:04 2015"' > to file '-' > "original : TEXTCTX expired at Thu Oct 15 19:46:04 2015" > Stale context 'TESTCTX' deleted > > After the 'setaction' message, I was expecting a different action list to > be executed when I issued 'obsolete' message, not the original action list > from when the context was created? > > Is this as intended or a bug? > Bond > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
