Hi Risto,
Thank you for your explanation. All works well for me now.
I using SEC v 2.7.12 therefore I see that compilation error with lcall and :>
operator.
Thank you,
Dusan
________________________________
Od: Risto Vaarandi <risto.vaara...@gmail.com>
Odoslané: streda 19. februára 2020 14:52
Komu: Dusan Sovic <dusan.so...@hotmail.sk>
Kópia: simple-evcorr-users@lists.sourceforge.net
<simple-evcorr-users@lists.sourceforge.net>
Predmet: Re: [Simple-evcorr-users] How to introduce new match variable
hi Dusan,
you can find my comments below:
>
> I try to add new variable using “context” and :> operator also using “lcall”
> action but no luck.
> Any idea how to achieve this?
>
> This is what I have produced so far:
>
> Config file: dusko.sec
> ----------------------------
> rem=Rule 1
> type=Single
> ptype=RegExp
> pattern=^(?<EVENT>\S+) (?<SEVERITY>\S+)$
> varmap=MY_EVENT
> continue=TakeNext
> desc=Parsing Event
> action=write - R1: Parsing event: $+{EVENT} $+{SEVERITY}
>
> rem=Rule 2
> type=Single
> ptype=Cached
> pattern=MY_EVENT
> context=MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } )
> desc=Introducing new variable
> action=lcall %o MY_EVENT -> ( sub { $_[0]->{"NEW"} = "value" } ); \
> write - R2: NEW = $+{NEW}
>
Rule #2 is not having an expected effect, since SEC rule matching involves
several steps in the following order:
1) pattern is matched against an incoming event
2) if pattern matched the event, collect match variable values for
substitutions (e.g., substitutions in 'context' field of the rule)
3) evaluate the context expression of the rule (provided with 'context' field)
If any new match variables are created during step 3, they are not used during
substitutions within the current rule, since the set of match variables and
their values were fixed during previous step. However, the match variable would
be visible in the following rules. In order to make the variable visible
immediately in the current rule, you can enclose the context expression in
square brackets [ ], which means that context expression has to be evaluated
*before* the pattern match (in other words, step 3 would be taken before step 1
now). For example:
rem=Rule 2
type=Single
ptype=Cached
pattern=MY_EVENT
context=[ MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } ) ]
desc=Introducing new variable
action=write - R2: NEW = $+{NEW}
The use of [ ] operator involves one caveat -- since match variables (e.g., $1
or $2) are produced by pattern match, they will not have any values yet when
context expression is evaluated, and are therefore not substituted. However,
this is not a problem for the above rule, since the context expression in this
rule contains no references to match variables (such as $1 or $+{NEW}).
>
> Also if I want to replace “->” with “:>” for lcall action:
> action=lcall %o MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } ); \
> write - R2: NEW = $+{NEW}
>
> I got compilation error:
> Rule in ./dusko.sec at line 10: Eval '{"NEW"} = "value" } )' didn't return a
> code reference: syntax error at (eval 9) line 1, near "} ="
> Unmatched right curly bracket at (eval 9) line 1, at end of line
> Rule in ./dusko.sec at line 10: Invalid action list ' lcall %o MY_EVENT :> (
> sub { $_[0]->{"NEW"} = "value" } ); write - R2: NEW = $+{NEW} '
This is because the :> operator for 'lcall' action was introduced in sec-2.8.0,
and is not supported by previous versions (such as sec-2.7.X). When I tried
your rule with sec-2.8.2, everything worked fine, but testing it with
sec-2.7.12 produced the same error message. Therefore I suspect that you have
an earlier version than 2.8.0, and would recommend to upgrade to 2.8.2 (the
latest version). But with the above workaround, you would not need 'lcall %o
MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } )' action anyway.
Hope this helps,
risto
>
> Thanks for any help,
> Dusan
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
