I'm trying to do something I think I possible, but it's not quite working. I
have a use case where I need to watch one central log file to catch a system
that is going to fire off a sep process that creates a log I'm really
interested in. I the rules that do this just fine. It uses the addinput and
dropinput to pull in and out files.
My issue comes in watching these other log files. Each one of these file is
logging events I'm concerned about. Each file has threads. Those threads are
unique in that file, but not across files. So thread 1 for example is going to
be in all log files. I'm able to set a context that includes the filename and
thread id w/ no problem on the rule that is picking up the first event I'm
concerned about. My issue is then using the context= in the next rule to limit
it to just that input.
Here's some examples I've tried:
type=single
ptype=regexp
pattern=Action one.*Thread="Thread([0-9]+)"
desc=Action one for $+{_inputsrc} thread $1
action=create LK_$+{_inputsrc}_$1 86400;fill LK_$+{_inputsrc}_$1 %t;
type=single
continue=takenext
ptype=regexp
pattern="Thread([0-9]+)"
context=LK_$+{_inputsrc}_$1;
desc=got a line from $+{_inputsrc} for thread $1 winner winner
===LK_$+{_intcontext}_$1===
action=delete LK_$+{_inputsrc}_$1;write - NL %t %var1 %s;
type=single
continue=takenext
ptype=regexp
pattern="Thread([0-9]+)"
context=LK_inp.text_21
desc=why only this one? got a line from $+{_inputsrc} for thread $1
+++$+{_intcontext}+++ ===$+{_inputsrc}=== _$1_
action=pop LK_$+{_inputsrc}_$1 %var1;delete LK_$+{_inputsrc}_$1;write - NL %t
%var1 %s;
sec --conf=testing.sec --intevents --intcontexts --nochildterm --input=inp.text
--debug=6
SEC (Simple Event Correlator) 2.8.2
Reading configuration from testing.sec
3 rules loaded from testing.sec
No --bufsize command line option or --bufsize=0, setting --bufsize to 1
Opening input file inp.text
Interactive process, SIGINT can't be used for changing the logging level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Now I feed in one line:
echo 'INFO [2022-11-05 16:24:58,506] Action one Thread="Thread21", "' >>
inp.text
I get:
Creating context 'LK_inp.text_21'
Filling context 'LK_inp.text_21' with event(s) 'Sat Nov 5 19:24:55 2022'
If I create the sec.dump file I see this as far as what contexts are there:
List of contexts:
============================================================
Context Name: LK_inp.text_21
Creation Time: Sat Nov 5 19:24:55 2022
Lifetime: 86400 seconds
1 events associated with context:
Sat Nov 5 19:24:55 2022
------------------------------------------------------------
Total: 1 elements
I now feed in the other line:
echo 'INFO [2022-11-05 16:24:58,506] Action two Thread="Thread21", "' >>
inp.text
Rule 3 ends up firing and not rule 2:
Pop the last element of context 'LK_inp.text_21' event store into variable
'%var1'
Variable '%var1' set to 'Sat Nov 5 19:24:55 2022'
Deleting context 'LK_inp.text_21'
Context 'LK_inp.text_21' deleted
Writing event 'NL Sat Nov 5 19:26:25 2022 Sat Nov 5 19:24:55 2022 why only
this one? got a line from inp.text for thread 21 +++_FILE_EVENT_inp.text+++
===inp.text=== _21_' to file '-'
NL Sat Nov 5 19:26:25 2022 Sat Nov 5 19:24:55 2022 why only this one? got a
line from inp.text for thread 21 +++_FILE_EVENT_inp.text+++ ===inp.text=== _21_
Rule 3 is able to delete the context just fine, so I know the $+{_inputsrc} is
being evaluated correctly. Can it not be evaluated in the context= line?
Can someone guide me w/ a way to get this work?
Thanks in advance
Sean
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
