hi Roni,
there are three ways how this problem can be tackled. If your events
contain timestamps, the simplest solution is to extract a timestamp from
event and set a match variable for holding the timestamp. For example, if
events always have a numerical timestamp as a prefix, you could use the
following rule:
type=PairWithWindow
ptype=RegExp
pattern=^(\d+): BEGIN
desc=BEGIN appeared at $1 without END after 15 seconds
action=write - %s
ptype2=RegExp
pattern2=^(\d+): END
desc2=BEGIN appeared at %1 with END at $1
action2=write - %s
window=15
In this simple example, timestamp is always assigned to $1 variable which
allows to retrieve it later (either by referring to $1 or %1).
However, if your events do *not* contain timestamps, the following issue
will arise -- if the PairWithWindow rule will see a valid pair of events,
it is possible to utilize %u or %t variable to get the current time which
also reflects the occurrence time of the second event in the pair. However,
there is no way for accessing the occurrence time of the first event via
some predefined variable (the same problem will come up if you don't have a
valid pair, but just the first event *without* the second).
In order to address this issue and obtain the occurrence time of the first
event, we can rely on the following observation -- the occurrence time of
the first event is equal to the beginning of the event correlation window.
However, the latter value can be retrieved from any event correlation
operation with the 'getwpos' action. This will lead us to the following
solution:
type=PairWithWindow
ptype=RegExp
pattern=^BEGIN
desc=BEGIN has been seen
action=getwpos %time 0 BEGIN has been seen; \
write - BEGIN appeared at %time without END after 15 seconds
ptype2=RegExp
pattern2=^END
desc2=END has been seen
action2=getwpos %time 0 BEGIN has been seen; \
write - BEGIN appeared at %time with END at %u
window=15
As you can see, the example events do not have timestamps. However, in
'action' and 'action2' fields 'getwpos' action is used for getting the
window position of the PairWithWindow operation itself (0 indicates current
rule and "BEGIN has been seen" is the operation description string which is
set by 'desc' field). Note that by using non-zero offsets and custom string
values, it is possible to retrieve window positions of other active event
correlation operations. Furthermore, if one employs 'setwpos' action, the
windows of other operations can even be moved further in time. However, in
the above example the operation simply queries its own window position
which is the same as the occurrence time of the first event.
So what is the third way for addressing this task? Alongside with
PairWithWindow rule, one can simply implement a Single rule which simply
matches the first event of the pair and saves its occurrence time for
further use. For example:
type=Single
ptype=RegExp
pattern=^BEGIN (\d+)
context=!CONTEXT_$1
continue=TakeNext
desc=save timestamp
action=add CONTEXT_$1 %t
type=PairWithWindow
ptype=RegExp
pattern=^BEGIN (\d+)
desc=BEGIN $1
action=copy CONTEXT_$1 %time; delete CONTEXT_$1; \
write - BEGIN $1 appeared at %time without END after 15 seconds
ptype2=RegExp
pattern2=^END $1
desc2=END
action2=copy CONTEXT_%1 %time; delete CONTEXT_%1; \
write - BEGIN %1 appeared at %time with END at %t
window=15
In the above example, the PairWithWindow rule can start several operations
which run simultaneously, treating the numerals that follow BEGIN and END
as pair identifiers (in other words, events BEGIN 12 and END 12 form a
valid pair, since they share the same numeric ID 12). The above example
also employs textual timestamps, and for holding the timestamp of the first
event, the context CONTEXT_<pair-id> is used. The context will be removed
by PairWithWindow operation when it finishes, no matter whether it executes
'action' or 'action2' in the end.
I understand that this is a lengthy e-mail, but I just wanted to outline
all the options you have. Perhaps other list members can suggest additional
and even better ways for tackling this task :)
kind regards,
risto
2018-03-09 15:17 GMT+02:00 Riska, Roni (Nokia - FI/Espoo) <
roni.ri...@nokia.com>:
> Hello,
>
> I’m using a PairWithWindow rule and I want to get the first and second
> event and their timestamps in the action/action2.
> I know that can get the first event with %0 and second with $0 in the
> action2, and first event with $0 in action.
> But how can I get the timestamp when SEC received the first event?
> Is it even possible to get that?
>
> Br,
> Roni
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
