Risto, Man I feel like an idiot. That's what I get for copy / pasteing stuff around. I removed the ; in the test setup and it's working like I thought it would.
My real setup seems to be good now as well. Thanks a million. While I have you, one other quick question, can SEC do sub-second precision? I've used SEC on and off for years so thanks for a great product. It always to be the tool I pull out when I have a really complicated problem to solve. Sean From: Risto Vaarandi <risto.vaara...@gmail.com> Sent: Saturday, November 5, 2022 8:36 PM To: Sean Hennessey <sean.hennes...@mercurygate.com> Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] context w/ input file name embedded hi Sean, I was quite puzzled why the ruleset you have posted is not working, and after testing it several times and looking at the rules, I think I found the reason. When you look at the 'context' field of the second rule, there is an extra semicolon at the end of the context name (when the rule file is loaded and parsed, it is treated as a part of the context name). Therefore, the 'context' field is not checking the presence of the right context. After removing that semicolon, the second rule started to produce the matches :-) kind regards, risto Kontakt Sean Hennessey (<sean.hennes...@mercurygate.com<mailto:sean.hennes...@mercurygate.com>>) kirjutas kuupƤeval P, 6. november 2022 kell 02:06: I'm trying to do something I think I possible, but it's not quite working. I have a use case where I need to watch one central log file to catch a system that is going to fire off a sep process that creates a log I'm really interested in. I the rules that do this just fine. It uses the addinput and dropinput to pull in and out files. My issue comes in watching these other log files. Each one of these file is logging events I'm concerned about. Each file has threads. Those threads are unique in that file, but not across files. So thread 1 for example is going to be in all log files. I'm able to set a context that includes the filename and thread id w/ no problem on the rule that is picking up the first event I'm concerned about. My issue is then using the context= in the next rule to limit it to just that input. Here's some examples I've tried: type=single ptype=regexp pattern=Action one.*Thread="Thread([0-9]+)" desc=Action one for $+{_inputsrc} thread $1 action=create LK_$+{_inputsrc}_$1 86400;fill LK_$+{_inputsrc}_$1 %t; type=single continue=takenext ptype=regexp pattern="Thread([0-9]+)" context=LK_$+{_inputsrc}_$1; desc=got a line from $+{_inputsrc} for thread $1 winner winner ===LK_$+{_intcontext}_$1=== action=delete LK_$+{_inputsrc}_$1;write - NL %t %var1 %s; type=single continue=takenext ptype=regexp pattern="Thread([0-9]+)" context=LK_inp.text_21 desc=why only this one? got a line from $+{_inputsrc} for thread $1 +++$+{_intcontext}+++ ===$+{_inputsrc}=== _$1_ action=pop LK_$+{_inputsrc}_$1 %var1;delete LK_$+{_inputsrc}_$1;write - NL %t %var1 %s; sec --conf=testing.sec --intevents --intcontexts --nochildterm --input=inp.text --debug=6 SEC (Simple Event Correlator) 2.8.2 Reading configuration from testing.sec 3 rules loaded from testing.sec No --bufsize command line option or --bufsize=0, setting --bufsize to 1 Opening input file inp.text Interactive process, SIGINT can't be used for changing the logging level Creating SEC internal context 'SEC_INTERNAL_EVENT' Creating SEC internal event 'SEC_STARTUP' Deleting SEC internal context 'SEC_INTERNAL_EVENT' Now I feed in one line: echo 'INFO [2022-11-05 16:24:58,506] Action one Thread="Thread21", "' >> inp.text I get: Creating context 'LK_inp.text_21' Filling context 'LK_inp.text_21' with event(s) 'Sat Nov 5 19:24:55 2022' If I create the sec.dump file I see this as far as what contexts are there: List of contexts: ============================================================ Context Name: LK_inp.text_21 Creation Time: Sat Nov 5 19:24:55 2022 Lifetime: 86400 seconds 1 events associated with context: Sat Nov 5 19:24:55 2022 ------------------------------------------------------------ Total: 1 elements I now feed in the other line: echo 'INFO [2022-11-05 16:24:58,506] Action two Thread="Thread21", "' >> inp.text Rule 3 ends up firing and not rule 2: Pop the last element of context 'LK_inp.text_21' event store into variable '%var1' Variable '%var1' set to 'Sat Nov 5 19:24:55 2022' Deleting context 'LK_inp.text_21' Context 'LK_inp.text_21' deleted Writing event 'NL Sat Nov 5 19:26:25 2022 Sat Nov 5 19:24:55 2022 why only this one? got a line from inp.text for thread 21 +++_FILE_EVENT_inp.text+++ ===inp.text=== _21_' to file '-' NL Sat Nov 5 19:26:25 2022 Sat Nov 5 19:24:55 2022 why only this one? got a line from inp.text for thread 21 +++_FILE_EVENT_inp.text+++ ===inp.text=== _21_ Rule 3 is able to delete the context just fine, so I know the $+{_inputsrc} is being evaluated correctly. Can it not be evaluated in the context= line? Can someone guide me w/ a way to get this work? Thanks in advance Sean _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Furl.avanan.click%2Fv2%2F___https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fsimple-evcorr-users___.YXAzOm1lcmN1cnlnYXRlOmE6bzowMTM5ZWJkMTc0OTQ0MTI1NjEyN2M5ZjFhYTVhNGQ2Yzo2OjdlMTM6ZmI5N2U3NzQ1MzhmYTVmZjUxYTBkM2E3NGMwZDUxYzY2OTJmY2IzN2YwZDdhYmM3OWVkNmVkZmQxNmRhZWEwODpoOlQ&data=05%7C01%7Csean.hennessey%40mercurygate.com%7C12647ac631c24d38966508dabf8efa1c%7Cd382f247fb2846cc88ecfe1341d2f058%7C0%7C0%7C638032918047103540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PQGlMCG2DYpwlMjyiY1AiNHMAhb8kq8ai3ce5ai7s1s%3D&reserved=0>
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
