Hi Risto,
Big thanks for you!
This is what I need.
2018-01-11 17:09 GMT+01:00 Risto Vaarandi <risto.vaara...@seb.ee>:
> hi Kamil,
>
> since you want to count 'bar' events without having any particular time
> constraint imposed for counting, this task can be accomplished without
> rules that involve event correlation with a specific window (such as
> SingleWithThreshold). In my opinion, it is best to use simple Perl-based
> counters that are maintained from Single rules, for example:
>
> type=Single
> ptype=RegExp
> pattern=(\S+): foo
> desc=reset counting for $1 when foo appears
> action=lcall %o $1 -> ( sub { $count{$_[0]} = 0 } )
>
> type=Single
> ptype=RegExp
> pattern=(\S+): bar
> context=$1 -> ( sub { if (!exists $count{$_[0]}) { return 0; } \
> ++$count{$_[0]}; return ($count{$_[0]} > 3); } )
> desc=count bar for $1
> action=write - More than 3 bars have been seen after foo for host $1
>
> This ruleset maintains a custom event counter for each host in the 'count'
> hash table, setting the counter to 0 on foo event (the first rule), and
> incrementing the counter on bar (the second rule). The second rule not only
> increments the counter but also checks if its value is greater that 3,
> setting the truth value of the context expression in 'context' field to
> TRUE if that's the case (as long as the value is FALSE, the action in the
> 'action' field is not executed). If foo reappears for the host, its counter
> is set back to 0 and event counting for this host will start from scratch.
>
> There are a number of other approaches for tackling the same task (e.g.,
> one can push bar events into host based contexts and check their sizes with
> 'getsize' action), but the above approach is probably the most efficient
> one.
>
> kind regards,
> risto
>
>
> ------------------------------
> *From:* Kamil B <kamil4...@gmail.com>
> *Sent:* Thursday, January 11, 2018 4:29 PM
> *To:* simple-evcorr-users@lists.sourceforge.net
> *Subject:* [Simple-evcorr-users] Ignore first n 'bar' if 'foo' occurs
>
> Hello, can you help me?
>
> I need to count occours 'bar' for host1, host2 etc... (independently).
>
> But I must ignore fist n (for example first 3) occurs 'bar' after 'foo'
>
> In other words I need count video errors (bar), but exclude 3 video errors
> after each channel change (foo).
>
> But if 'foo' occurs the fourth time and more for host, action must be
> executed.
>
>
> So if: I have a logfile with:
>
> 0 host1: foo
> 1 host1: bar
> 2 host1: bar
> 3 host1: bar
> 0 host1: foo
> 1 host1: bar
> 0 host1: foo
> 0 host1: foo
> 1 host1: bar
>
> nothing happen
>
> but If:
>
> 0 host1: foo
> 1 host1: bar
> 2 host1: bar
> 3 host1: bar
> 4 host1: bar < trigger action
> 5 host1: bar < trigger action
> 0 host1: foo
> 1 host1: bar
>
> etc.
>
>
>
> Is is possible with sec?
> How to do that?
>
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
