Re: [Simple-evcorr-users] can i add a variable to a pattern?

Fri, 20 Mar 2020 12:58:12 -0700 

Hi Martin:

In message
<cak5zirwe1hq1q96tmkci9zbjvrr+jxvkn--zobmu021dhsn...@mail.gmail.com> ,
Martin Etcheverry writes:

>I have a question , i have this
>
>type=PairWithWindow
>ptype=RegExp
>pattern=\w{3}\W*\d{1,2}\W\d{2}\W\d{2}\W\d{2}\W\d*\W\d*\W\d*\W\d*\W\W*something:\Wstarted\W(.*)\W\W
>(.*)
>desc= $1
>action=pipe '%s' telegram -C '$1 something something $2 ';pipe '%s' mail -s
>'$1' somem...@someserver.com
>ptype2=RegExp
>pattern2=\w{3}\W*\d{1,2}\W\d{2}\W\d{2}\W\d{2}\W\d*\W\d*\W\d*\W\d*\W\W*something:\Whas\Wbeen\Wresolved\W(.*)\W\W
>*(.*)*
>desc2=event for $1 was cancelled
>action2=logonly
>window=420
>
>In the first pattern i have two groups $1 and $2 , $2 is a unique
>event code.  I whant to use $2 in the pattern2 in substitution of the
>red part.

You can use $2 in pattern2. However for context2, descr2 etc, you need
to use %2. See https://simple-evcorr.github.io/man.html#lbAP
specifically:

  In order to access match variables set by pattern,
  %-prefixed match variables have to be used in context2, desc2, and
  action2 fields. For example, if pattern and pattern2 are regular
  expressions, then %1 in the desc2 field refers to the value set by the
  first capture group in pattern (i.e., it has the same value as $1 in
  the desc field).

also the example shows:

  type=PairWithWindow
  ptype=RegExp
  pattern=sshd\[\d+\]: Failed .+ for (\S+) from ([\d.]+) port \d+ ssh2
  desc=User $1 has been unable to log in from $2 over SSH during 1 minute
  action=pipe '%t: %s' /bin/mail root@localhost
  ptype2=RegExp
  pattern2=sshd\[\d+\]: Accepted .+ for $1 from $2 port \d+ ssh2
  desc2=SSH login successful for %1 from %2 after initial failure
  action2=logonly
  window=60 

$1, $2 are defined by the 'pattern' up to the point 'pattern2'
matches. Once pattern2 has matched: desc2, action2, context2 need to
use %2 to refrence the matched patterns from 'pattern'. $1, $2 etc are
redefined/overwritten by the matches from pattern2.

Reading the man page a few times is required to use sec efficiently.
Have fun.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.


_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to