Hi Risto,
I add you a diagram of what i want.
https://drive.google.com/file/d/0BzGAeQ7Jnta6VW1GSHYzd21JMmc/view?usp=sharing
I decide to do during sec correlation but i´m seeing its quite difficult.
Regards.
2016-11-30 16:07 GMT+01:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Jaren,
> as I understand from your rule example, you would like to modify the
> same input file from sec which is also monitored by sec? If so, I
> wouldn't recommend it.
>
> Firstly, sec is not only monitoring the content of the file but also
> its attributes, in order to detect situations when file is rotated or
> emptied (ie, its size is truncated to 0 bytes). Size truncations are
> monitored in the following way -- if the file i-node number has not
> changed, but the file size has decreased, sec regards the file size
> being truncated and starts processing it from the very beginning.
> Removing one or more lines from the input file decreases its size and
> will therefore be detected by sec as a file truncation. Re-processing
> the file from the very beginning is not something you would like to
> happen under normal circumstances.
>
> Secondly, apparently sec input files are produced by some other
> process which is continuously appending new data to these files. If
> you start modifying these input files by sec, the files have now two
> processes which are altering their content simultaneously. This can
> lead to unpredictable results and bytes from both writing operations
> can become badly mixed. For example, if one process writes the line
> "AAA" and the other process writes the line "BBB" to the file, the end
> result could look like
> ABBB
> AA
> which is probably not what you want.
>
> So I would strongly recommend to avoid this kind of setup.
>
> kind regards,
> risto
>
> 2016-11-30 15:52 GMT+02:00 Jaren Peich <burkol...@gmail.com>:
> > Hi,
> >
> > I want to erase a log file while it is parsing it with sec. The problem
> that
> > i got it is time procedures.
> >
> > A line enter to the rule(input) and it is erased from file.At the same
> time
> > another lines comes from the input to the rule and these lines are not
> > erased because the rule is still processing the previous line.
> >
> > Is it possible to save the line that it is processing and the following
> or 2
> > next lines that sec is going to proccess for being erased later?
> >
> > ____________________________________________________________
> _________________
> >
> > ptype = RegExp
> > continue = Takenext
> > pattern = (.*)
> > desc=-
> > action = eval %ret ( \
> > my($filename)='$+{_inputsrc}';\
> > my($bus)='$0';\
> > my($idx) =0;\
> > if($filename !~ m/synthetic/i)\
> > {\
> > open my $handle, '<', $filename;chomp(my @lines = <$handle>);close
> $handle;\
> > $idx = List::Util::first { $lines[$_] eq $bus } 0..$#lines;\
> > splice @lines, $idx, 1;\
> > open my $handle, '>', $filename;\
> > print $handle join ("\n", @lines);\
> > close $handle;\
> > }\
> > );
> > ____________________________________________________________
> ___________________
> >
> > Thank you!. Regards.
>
2016-11-30 14:52 GMT+01:00 Jaren Peich <burkol...@gmail.com>:
> Hi,
>
> I want to erase a log file while it is parsing it with sec. The problem
> that i got it is time procedures.
>
> A line enter to the rule(input) and it is erased from file.At the same
> time another lines comes from the input to the rule and these lines are not
> erased because the rule is still processing the previous line.
>
> Is it possible to save the line that it is processing and the following or
> 2 next lines that sec is going to proccess for being erased later?
>
> ____________________________________________________________
> _________________
>
> ptype = RegExp
> continue = Takenext
> pattern = (.*)
> desc=-
> action = eval %ret ( \
> my($filename)='$+{_inputsrc}';\
> my($bus)='$0';\
> my($idx) =0;\
> if($filename !~ m/synthetic/i)\
> {\
> open my $handle, '<', $filename;chomp(my @lines = <$handle>);close
> $handle;\
> $idx = List::Util::first { $lines[$_] eq $bus } 0..$#lines;\
> splice @lines, $idx, 1;\
> open my $handle, '>', $filename;\
> print $handle join ("\n", @lines);\
> close $handle;\
> }\
> );
> ____________________________________________________________
> ___________________
>
> Thank you!. Regards.
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
