hi Martin,
first of all, I would definitely recommend to have a look into the SEC
official documentation, since the section for PairWithWindow rule contains
an example which is closely matching your scenario (
http://simple-evcorr.github.io/man.html#lbAP).
Nevertheless, the following rule addresses your messages types:
type=PairWithWindow
ptype=RegExp
pattern=\s(\S+)\[\d+\]: \1 new critical, VirtualMachine
desc=No cancellation event for $1 after 10 minutes
action=write - %s
ptype2=RegExp
pattern2=\s$1\[\d+\]: $1 cancelled critical, VirtualMachine
desc2=Cancellation event for %1 arrived
action2=logonly
window=600
I would like to point your attention to the \1 in the 'pattern' field.
Since the example events you have provided contain the server name test0003
twice, the use of \1 will ensure that the server name in the message text
is the same as the previously matched program name. In other words, the
'pattern' field does not match the following line:
Dec 19 09:01:09 10.240.57.150 test0003[34576]: test0011 new critical,
VirtualMachine
since the program name (test0003) and the server name in the message text
(test0011) are different.
hope this helps,
risto
2016-12-19 19:52 GMT+02:00 Martin Etcheverry <mar...@etcheverri.com>:
>
> i receive an event like this:
> Dec 19 09:01:09 10.240.57.150 test0003[34576]: test0003 new critical,
> VirtualMachine
>
> and a cancelation like this
>
> Dec 19 09:07:06 10.240.57.150 test0003[34576]: test0003 cancelled
> critical, VirtualMachine
>
> i want if the cancelation didnt arrive in 10 mins i get alarmed.
>
> I was advised in this group to use context , but i didnt figure out.
> i think that using PairWithWindow , but i believe that i with every
> diferent server i have to create a new context to diferenciate the new and
> canceled events of every server.
>
> i am sorry, i now is a newbie question , but i am trying and googling
> since a month ago.
> any hint will be very apreciated.
>
> Greetings
> Martin
>
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/intel
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
