hi Richard,
there are several pattern types like TValue and SubStr which have been
designed for fast matching and which do not support match variables
(including $0). Handling of match variables involves additional
computational cost, since after successful match, all variables in rule
definition have to be substituted with values from the match. So if you
want to get the entire line that reaches a given rule, the simplest
solution is to use $0 variable with RegExp pattern .? or .
Since you also mentioned the idea of defining special action list variable
(%e), it will involve the following subtle issue. Unlike match variables,
action list variables get substituted not immediately after the match, but
at the moment when action list gets executed. However, there are rules
where action list execution can happen much later than the match against
the rule -- just consider the 'action' field of PairWithWindow rule where
execution is triggered by reading from system clock, not a pattern match. A
similar issue will come up with Calendar rule that doesn't have a pattern
at all, or action lists of SEC contexts when contexts expire. If the action
list variable is defined as "input line currently under processing", such
variable will not make much sense when action list execution is triggered
by system clock. For this reason, using $0 is a better solution, since it
is substituted immediately after a successful pattern match.
kind regards,
risto
Kontakt Richard Ostrochovský (<richard.ostrochov...@gmail.com>) kirjutas
kuupäeval E, 20. jaanuar 2020 kell 17:40:
> Hello,
>
> I was find out the answer in manual and also archive of this forum, but
> without success, and the question seems very basic to me, so I assume 2 (3)
> possible alternative answers:
>
> - it is so easy, that I will bang my head
> - it is not possible at all (in current version of SEC)
> - (RegExp .* is equally efficient as TValue)
>
> Assuming, that using TValue instead of RegExp or any other rule type in
> cases, where I don't need filtering of or extraction from log messages, is
> most computing power efficient, I am trying to find out a straightforward
> way, how to use the original event text in event action of TValue rule.
>
> $0 seems not to be working for TValue (I understand, that it is
> RegExp-specific) in rule like this:
>
> type=Single
> ptype=TValue
> pattern=TRUE
> context=SVC_:tmp::home:user:somelog.log#MULTI-LINE &&
> SVC_:tmp::home:user:somelog.log #MULTI-LINE_MESSAGE
> desc= SVC_:tmp::home:user:somelog.log #MULTI-LINE_MESSAGE lines filter
> action=add ( SVC_:tmp::home:user:somelog.log #MULTI-LINE_MESSAGE) $0
>
> $0 literally is added to context in this case.
>
> ("#" is meant to be part of the context name, not any kind of comment.)
>
> Does somebody have any advice, how to use original event text in
> TValue-type rule, without "compromising" the performance? (Assuming, that
> the easiest solution, the replacement of TValue with RegExp nad TRUE with
> .* would do the job, but won't be as fast as TValue.) Maybe new predefined
> variable could be available (e.g. %e as event) independently on rule type.
>
> Thank you in advance.
>
> Richard
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
