Hi Jeff,
what you would do is setting up a context the first time your event
matches, with a lifetime of 1 min. At the end of the context, you run
action 2. Then you use a SingleWithThreshold rule walid only if your
context exists. If it checks, you run action 1 and delete the context.
About the not weekend, yes, it's a calendar rule. Let's see:
# Calendar to disable on weekends (created on sat 00:01, lasts 48 h)
type=Calendar
time=1 0 * * 6
desc=Weekend context
action=create Weekend 172800
#Context to start matching. When it ends, runs action 2 and resets the
count rule.
type=Single
ptype=RegExp
pattern=<whatever>
continue=takenext
context=!Weekend&&!1_min_count
desc=Begin 1 min count for 500 errors
action=Create 1_min_count 60 (<run action 2>; reset Correlate_500_events)
#Event count. We correlate 500 events while 1_min_count still exists, and
delete the context if limit met
type=SingleWithThreshold
ptype=RegExp
pattern=<whatever>
context=!Weekend&&1_min_count
desc=Correlate_500_events
action=<run action 2>; \
delete 1_min_count
window=<more than 60 sec, but whatever, since the correlation is reset by
1_min_count expiration>
thresh=500
It's not tested, but I believe it would work as you intend. Notice the !
in the second rule context (you only want to create the context once)
Atentamente,
Josep Abenza Martí
Arquitectura WEB, Liberty Seguros
Tlf. 93 489 05 00 - Ext. 61605
[EMAIL PROTECTED]
"Jeff Schroeder" <[EMAIL PROTECTED]>
Enviado por: [EMAIL PROTECTED]
11/03/2008 01:08
Por favor, responda a
[EMAIL PROTECTED]
Para
[email protected]
cc
Asunto
[Simple-evcorr-users] Using sec to send "throttled" alerts question?
Here is pseudocode of what I'm trying to setup:
If time != weekend:
if event matches in 1 minute:
if event happens >=500 times:
run action 1
else:
run action 2
>From reading the article on sec[1], "SingleWithThreshold" rules can
action when a pattern matches 500 times within 1 minute but _only_
when it happens 500 times. SingleWith2Threshds doesn't look like it
does what I want either. The time != weekend block is not critical,
but would be really nice. It looks like a "Calendar" rule can do that.
My question is basically, "How would I go about setting up sec to
implement something close to the previous pseudocode?". My idea was to
setup 2 rules, 1 being a Single and 1 being a SingleWithThreshold. Is
there a better way to do this? You don't have to handhold me through
creating the config unless you want to.
Thanks for the help
[1] http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
=============================
Este mensaje se dirige exclusivamente a su destinatario. Puede contener
información confidencial sometida a secreto profesional o cuya divulgación
esté prohibida, en virtud de la legislación vigente. No esta permitida
su divulgación, copia o distribución a terceros sin la autorización previa
y por escrito de Liberty Seguros. Si ha recibido este mensaje por error,
le rogamos nos lo comunique inmediatamente por esta misma vía y proceda a
su destrucción.
This e-mail is intended exclusively for the individual or entity to which
it is addressed and may contain confidential or legally privileged information,
which may not be disclosed under current legislation. Any form of disclosure,
copying or distribution of this e-mail is strictly prohibited, save with
written authorisation from Liberty Seguros. If you have received this message
in error, please notify the sender immediately by e-mail and delete all copies
of the message.
=============================-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
