Hello,
I was find out the answer in manual and also archive of this forum, but
without success, and the question seems very basic to me, so I assume 2 (3)
possible alternative answers:
- it is so easy, that I will bang my head
- it is not possible at all (in current version of SEC)
- (RegExp .* is equally efficient as TValue)
Assuming, that using TValue instead of RegExp or any other rule type in
cases, where I don't need filtering of or extraction from log messages, is
most computing power efficient, I am trying to find out a straightforward
way, how to use the original event text in event action of TValue rule.
$0 seems not to be working for TValue (I understand, that it is
RegExp-specific) in rule like this:
type=Single
ptype=TValue
pattern=TRUE
context=SVC_:tmp::home:user:somelog.log#MULTI-LINE &&
SVC_:tmp::home:user:somelog.log #MULTI-LINE_MESSAGE
desc= SVC_:tmp::home:user:somelog.log #MULTI-LINE_MESSAGE lines filter
action=add ( SVC_:tmp::home:user:somelog.log #MULTI-LINE_MESSAGE) $0
$0 literally is added to context in this case.
("#" is meant to be part of the context name, not any kind of comment.)
Does somebody have any advice, how to use original event text in
TValue-type rule, without "compromising" the performance? (Assuming, that
the easiest solution, the replacement of TValue with RegExp nad TRUE with
.* would do the job, but won't be as fast as TValue.) Maybe new predefined
variable could be available (e.g. %e as event) independently on rule type.
Thank you in advance.
Richard
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
