> I will leave producing the exact output you want to
> the reader, but a
> ruleset the matches your data could look something
> like:
>
> # rule 1
> type=single
> desc= detect start of sequence for host $1 id $2
> ptype=regexp
> pattern=VERIFY ([0-9.]*) ([0-9]*) START ([0-9]*)
> rem= may need to set a max tine on this context
> action=create context_$1_$2; add context_$1_$2 $0
>
> # rule 2
> type=single
> desc= detect connected part of sequence for host
> $1 id $2
> ptype=regexp
> pattern=VERIFY ([0-9.]*) ([0-9]*) CONNECTED
> ([0-9]*)
> rem= match this rule only if a START was seen
> prior
> rem= otherwise something is wrong and we need to
> punt.
> context= context_$1_$2
> rem = store connected time in a context for later
> use
> action=add context_$1_$2 $0; add
> context_connected_time_$1_$2 $3
>
> # rule 3
> type=single
> cont=takenext
> desc= detect send part of sequence for host $1 id
> $2
> ptype=regexp
> pattern=VERIFY ([0-9.]*) ([0-9]*) SEND ([0-9]*)
> rem= match this rule only if a START was seen
> context= context_$1_$2
> action=copy context_connected_time_$1_$2
> %{connectedtime}; \
> eval %{diff} =($3 - %{connectedtime}; \
> add context_$1_$2 $0; \
> add context_$1_$2 CONNECTED to SEND time %{diff}
> seconds; \
> add context_connected_time_$1_$2 $3
>
> # rule 4
> type=pairwithwindow
> desc = detect RECEIVED for host $1 id $2 or detect
> missing received
> context= context_$1_$2
> ptype=regexp
> pattern=VERIFY ([0-9.]*) ([0-9]*) SEND ([0-9]*)
> context= context_$1_$2
> ptype2=regexp
> pattern2=VERIFY ([0-9.]*) ([0-9]*) RECEIVED
> ([0-9]*)
> rem = report missing received after 3 minutes (180
> seconds)
> window = 180
> rem = no RECEIVED event
> action= report context_$1_$2 mail -s "failed to
> get a RECEIVED entry for host $1 id $2. Log is"
> rem=received is found $3 is the time extracted
> using "pattern2",
> rem=%3 is the time extracted from the send line
> using "pattern"
> action=eval %{diff} =($3 - %3); \
> add context_$1_$2 $0; \
> add context_$1_$2 SEND to RECEIVED time %{diff}
> seconds; \
> report context_$1_$2 mail -s "Report on host $1 id
> $2 connection"
>
>
> may work (untested). I usually get the algorthm in
> the right ballpark,
> but get the exact syntax wrong. It should produce
> output like:
>
> VERIFY 194.151.25.153 1200238501 START 1200238501
> VERIFY 194.151.25.153 1200238501 CONNECTED
> 1200238501
> VERIFY 194.151.25.153 1200238501 SEND 1200238532
> CONNECTED to SEND time 31 seconds
> VERIFY 194.151.25.153 1200238501 RECEIVED
> 1200238550
> SEND to RECEIVED time 18 seconds
>
...
>
> I am sure Risto or some of the other readers will
> come up with other
> ways to do this.
>
indeed, there are some other ways for doing this, like
using perl hashes instead of contexts, but in this
case I like John's solution more. One very minor
improvement would be adding 'delete' action for the
context into the last pairwithwindow rule, so that
contexts would not accumulate over time. I suppose the
context removal could also be handled by setting the
lifetime and action-on-delete for the context in the
first rule, and employing single rule with 'delete'
action in place of pairwithwindow for the last rule.
br,
risto
____________________________________________________________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
