hi Jaren,
let me add few suggestions below:
>
> rem=create context and store first mid-count 2 and 3
> type=EventGroup1
> ptype=Cached
> pattern=SubjectMID
> context=SM_$+{subject}
> thresh=2
> window=60
> count=add SM_$+{subject} $+{mid}
> desc=create context by subject_$+{subject}
> end=delete SM_$+{subject}
> action = copy SM_$+{subject} %hashmids; lcall %o %hashmids -> ( \
> print "\nArrive!!!!!";\
The Perl code that has been provided with 'lcall' action is not a
valid function definition, and you need to enclose the code in sub { }
construct. For example:
lcall %o %hashmids -> ( sub { print "\nArrive!!!!!"; } )
Also, the value of the %hashmids variable is not used in the function
(in the perl function, $_[0] variable refers to the first input
parameters.
> Output:
>
> SEC (Simple Event Correlator) 2.6.2
> Reading configuration from C:\prueba.conf
>
> Rule in C:\prueba.conf at line 10: Eval 'print "\nArrive!!!!!";' didn't
> return a code reference: 1
> Rule in C:\prueba.conf at line 10: Invalid action list ' copy SM_$+{subject}
> %hashmids; lcall %o %hashmids -> ( print "\nArrive!!!!!";);reset 0; '
you are seeing this error message since 'lcall' does not have a
correct function definition (see my previous remark).
>
> Is it possible to pass to the perl function a changing context name
> depending on the $+{subject} variable and process this data as i told you
> before?
you can do that, but then you would have to access SEC's internal
context data structure, in order to process the context event store
(the context name serves as a key into %main::context_list hash table,
and in this hash table). In my opinion, that is not a very clean way,
and passing a newline separated string of numerals into the function
is both simpler and more readable. Also, you wouldn't have any
dependencies on sec internals.
Just out of curiosity -- is my understanding correct that the lines
you want to process are all appearing in the same input file:
email:Mid 52364 Subject:'Hello World'
email:Mid 52365 Subject:'Hello World'
email:Mid 52366 Subject:'Hello World'
email:Mid 52366 sender:'s...@sec.com'
email:Mid 52365 sender:'ja...@sec.com'
email:Mid 52364 sender:'pe...@sec.com'
If that is the case, it might be cheaper not to repeatedly search the
input file with Perl code which is expensive, but rather implement the
same logic with sec rules. What is your actual goal for extracting the
e-mail addresses based on subject lines? There might be a much shorter
and more elegant way for addressing this problem.
kind regards,
risto
> One create a 'SM_Hello World', other email context can be 'SM_Hello from
> SEC', other one 'SM_Hallo Frank', 'SM_Julius notes', etc...
>
> Finally in the first email i just added the perl function that i designed to
> search into the files this data.
>
> This one(Not working, because i add notes text between ##########):
>
> eval %o ( \
> $i=0;\
> my(@arraymids)=();\
> ####################################\
> #Here i want to read again the context and extract the values. Add to the
> array for processing.\
> @midcont=("52366","52365","52364");\
> ###################################
> @files = <C:\\files\\m*.log>;\
> print "@files";\
> if(@files){\
> foreach $file (@files) {\
> open (FILE, "$file");\
> while($line= <FILE> ){\
> my ($mid, $email)= $line=~ m/email:Mid\s(\d+)\ssender\:\'([^\']*)\'/gi;\
> print "\n====>Vuelta\n";\
> foreach my $lmid (@midcont) {\
> print "\nMid fichero===>$mid\tlmid===>$lmid\n" if defined($mid);\
> if ($mid == $lmid){\
> my ($username, $domain) = $email =~ /(.*)@(.*)/;\
> print "\nDOMAIN FINDED===>$domain\n";\
> unshift(@arraymids, $domain);\
> }\
> }\
> }\
> }\
> if($arraymids[0] eq $arraymids[1] && $arraymids[0] eq $arraymids[2]){\
> print "\n=======>SAME DOMAIN\n";\
> }else{\
> print "\n=======>Different DOMAIN\n";\
> }\
> }else{\
> print "========>NO FILES TO SEARCH";\
> }\
> );reset 0;
>
>
>
> Thank you Risto again. Regards.
>
> 2016-10-01 12:50 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
>>
>> 2016-09-30 12:20 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
>> > Hi Risto,
>> >
>> > I have a little doubt that i havenĀ“t seen in the documentation.
>> > I want to detect and keep some data from the logs and then read the
>> > context
>> > again and extract this data to process this info throught a perl
>> > function.
>> >
>>
>> ...
>>
>> > action = eval %o ( \
>> > $i=0;\
>> > my(@arraymids)=();\
>> > ####################################\
>> > #Here i want to read again the context and extract the values. Add to
>> > the
>> > array for processing.\
>> > @midcont=("52366","52365","52364");\
>> > ###################################
>>
>> I am still not sure whether I have understood the problem correctly,
>> but if you would like to access the event store of the SEC context
>> from a Perl function/expression, I would recommend to use the 'copy'
>> action before the Perl code is invoked. For example, if the event
>> store of context TEST contains events "test1", "test2" and "test3",
>> then the following action
>>
>> copy TEST %events
>>
>> will set the action list variable %events to the following string
>> "test1<NEWLINE>test2<NEWLINE>test3".
>> After the %events variable has been set, you can pass it as an input
>> parameter to the Perl function invoked with 'lcall' action. If you are
>> using 'eval', the %events variable can be directly accessed from the
>> Perl code, since it is substituted before each compilation and
>> execution. (Again, I would take the opportunity and recommend the use
>> of 'lcall' instead of 'eval', since 'lcall' is much more efficient.)
>>
>> kind regards,
>> risto
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
