Hi-
I'm sorry to ask what is probably very basic question, but I have struggling
with this for awhile (I have perused the manual a lot and the mailing list a
bit) and could use some guidance.
The short version is: is there a way to take the results of a pattern match in
one rule and use that value in a perlfunc in another?
More verbosely, at this time I use SEC for network syslog exclusion; nothing
fancy. I would like to start using Jump rules based on hostname. Hostname is
derived from the incoming log line.
I thought I would be clever and use a single rule to determine if there was a
hostname or not, save it somewhere reusable, and then launch jump rules based
on that.
something like
type=Single
ptype=RegExp
pattern=^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (.+?) .+
varmap= hostname=1
desc=hostname
action=assign %r $+{hostname}
continue=TakeNext
type=Jump
ptype=perlfunc
pattern=sub { return 1 if $+{hostname} =~ m/^first-use-case/ }
cfset=rules-for-this-match-1
type=Jump
ptype=perlfunc
pattern=sub { return 1 if $+{hostname} =~ m/^second-use-case/ }
cfset=rules-for-this-match-2
I know this doesn't work. I understand that '%r' is not a perl hash, and is an
action list variable, and that $+{hostname} is undef inside the type=Jump rule
perlfunc. I also know that %r is being set correctly, I see it in "variables
-> r" if I do SIGUSR1 dump.
So is it possible stash away a variable from one rule and use it in a Jump rule
like above? I can work around this easily by using a single rule like below,
but if I have for example 20 jump permutations, it seems quite redundant to
keep recalculating the hostname for comparison.
type=Jump
ptype=perlfunc
pattern=sub { return 0 unless (defined($_[1]) && $_[0] =~ /^\w+\s+[0-9]+
[0-9]+:[0-9]+:[0-9]+ (.+?) .+/); return 1 if $1 =~ m/^first-use-case/}
cfset=all-rules
Thanks in advance,
-Michael
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
