hi Stuart,

I have tried out your ruleset with the test event you have provided, with
/home/tocops/.tocpipe replaced with - (standard output). I have found no
issues with the ruleset and it works as expected:

sec --conf=stuart.sec  --input=-  --intevents

SEC (Simple Event Correlator) 2.7.8
Reading configuration from stuart.sec
2 rules loaded from stuart.sec
No --bufsize command line option or --bufsize=0, setting --bufsize to 1
Opening input file -
Interactive process, SIGINT can't be used for changing the logging level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Calling code 'CODE(0x2e7af58)' and setting variable '%o'
Variable '%o' set to '1'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'

2017-08-03T06:07:31-07:00 isilon-cluster-10 /boot/kernel.amd64/kernel:
[gmp_info.c:1863](pid 38910="kt: gmp-config")(tid=103609) new group:
<3,2302>: { 3-6:0-34, 8:0-20,22-31,33-34,36-37, 9:1-21,24, 10-11:0-21,
12-13:0-34, 18:0-21, 21:0-34, 22:0-21, 24:0-34, down: 23, smb:
3-6,8-13,18,21-22,24, nfs: 3-6,8-13,18,21-22,24, all_enabled_protocols:
3-6,8-13,18,21-22,24 }

Calling code 'CODE(0x2e761d0)' and setting variable '%node'
Variable '%node' set to '7'
Writing event 'ops 06:07:31 isilon-cluster-10 Down Nodes: 7' to file '-'

ops 06:07:31 isilon-cluster-10 Down Nodes: 7


For initializing the %arrayid_to_lnn hash, I have used the following rule
from one of your previous posts:

# Global variables
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
desc=initialize array-id to node mapping hash
action=lcall %o-> (sub {\
                         %arrayid_to_lnn = (21 => 1,\
                                            24 => 2,\
                                             3 => 3,\
                                             4 => 4,\
                                             5 => 5,\
                                             6 => 6,\
                                            23 => 7,\
                                             8 => 8,\
                                             9 => 9,\
                                            10 => 10,\
                                            11 => 11,\
                                            12 => 12,\
                                            13 => 13,\
                                            18 => 14,\
                                            22 => 15,\
                                           );\
                         return 1;\
                        }\
                    )


I have couple of guesses why the ruleset is not working for you:
1) sec has been started without --intevents option. As a result,
SEC_STARTUP internal event is not generated and %arrayid_to_lnn hash will
not be initialized,
2) perhaps there are other rules which can modify %arrayid_to_lnn under
specific circumstances, and the mapping 23 => 7 has been erased?

If you would like to debug this issue, perhaps it is possible to add the
following action into the rule:

lcall %arraykeys -> ( sub { join(" ", keys %arrayid_to_lnn) } )

This action will set the %arraykeys action list variable to all array IDs
for which mapping exists, so that individual IDs are separated by a space
character. Seeing the value of %arraykeys in sec debug log will help to
investigate the current state of %arrayid_to_lnn hash table.

kind regards,
risto



2017-08-05 1:18 GMT+03:00 Stuart Kendrick <stua...@alleninstitute.org>:
>
> Ah, I fumbled sending the correct stanza.  The rule which concerns me is
actually this one:
>
>
>
>
>
> type=SingleWithSuppress
>
> ptype=regexp
>
> pattern=T(\d\d:\d\d:\d\d)\-\d\d:\d\d (.*?) .*gmp.info.c.* new group:.*
down:\s+(.*?),\s
>
> desc=Down Nodes: $3
>
> window=5
>
> action=lcall %node $3 -> ( sub { $arrayid_to_lnn{$_[0]} } );\
>
>   if %node (write /home/tocops/.tocpipe ops $1 $2 Down Nodes: %node) else
( write /home/tocops/.tocpipe ops $1 $2 Down Nodes: $3)
>
> #action=write /home/tocops/.tocpipe ops $1 $2 Down Nodes: $3
>
>
>
> Recall that the syslog line looks like this:
>
> 2017-08-03T06:07:31-07:00 isilon-cluster-10 /boot/kernel.amd64/kernel:
[gmp_info.c:1863](pid 38910="kt: gmp-config")(tid=103609) new group:
<3,2302>: { 3-6:0-34, 8:0-20,22-31,33-34,36-37, 9:1-21,24, 10-11:0-21,
12-13:0-34, 18:0-21, 21:0-34, 22:0-21, 24:0-34, down: 23, smb:
3-6,8-13,18,21-22,24, nfs: 3-6,8-13,18,21-22,24, all_enabled_protocols:
3-6,8-13,18,21-22,24 }
>
> So I claim that $3 is, in fact, set to ‘23’ – I have confirmation on this
because my management application (which reads /home/tocops/.tocpipe) posts
the following to its interface:
>
>
>
> 06:07:31 isilon-cluster-10 Down Nodes: 23
>
>
>
> I speculate that the ‘else’ clause executed, which would produce this
result.
>
>
>
> So I claim I’m back to:
>
> I don’t understand why “sub { $arrayid_to_lnn{23} “ does not return ‘7’
> And more generically, what approaches would you suggest to
trouble-shooting action lines, plus embedded Perl?
>
> Is there a way to add print statements, for example?  I am imagining
something like:
>
>
>
> action=lcall %node $3 -> ( sub { print “I got $_[0]\n”;
$arrayid_to_lnn{$_[0]} } );\
>
>   if %node (write /home/tocops/.tocpipe ops $1 $2 Down Nodes: %node) else
( write /home/tocops/.tocpipe ops $1 $2 Down Nodes: $3)
>
>
>
> Other suggestions for adding debug / trace / print information to the
execution of action statements?
>
>
>
> [BTW:  thank you for pointing out that the example I posted – about
drives changing to ‘up’ – won’t work – I had blindly copied my ‘Down Node’
approach to the ‘Drive Change’ stanzas – I will go back and fix this.]
>
>
>
> --sk
>
>
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to