Thanks for the reply, Risto. Allow me to make the following remarks: 1. I won't argue with the argument about simplicity and efficiency! 2. I would argue with the argument about ambiguity because my understanding of things is/was that when the threshold number of messages didn't arrive during the time window there would be no event. It seems very strange that when an event is detected the information you have available refers to a message that had nothing to do with the event! 3. I can do the tail thing via shell commands or by using perl so that is quite neat!
thanks, Allen. PS I have other "fundamental" questions but I'll ask them elsewhere. Thanks again. -----Original Message----- From: Risto Vaarandi [mailto:[email protected]] Sent: Tuesday, March 10, 2009 6:16 PM To: Conway Allen Cc: [email protected] Subject: Re: [Simple-evcorr-users] SingleWith2Thresholds question Conway Allen wrote: > [---cut---] > The action associated with the lower threshold of 3 is executed when > xyz/7 arrives but if the action involves writing to a file $0, for > instance, what I find in the file is xyz/1 and not the xyz/5 as I would > expect. > [---cut---] Allen, IMHO, the use of $0 variable makes in most cases sense only if you are correlating messages with a rule where the action is executed immediately after a match has been found. In other words, the action gets executed on one match only when it is clear that $0 is set by this particular match. If the action is triggered by the multiple matches, the $0 variable is inherently ambiguous. SEC always sets $0 and other variables when the event correlation operation starts which is the most simple and efficient way for handling match values (otherwise we would have to store the pattern match values from all matches, and even then it is not clear which particular value to prefer for $0). If you would like to fetch an N-th matching line when action is executed, I'd recommend to employ a separate context for keeping matching lines in memory. When an action is triggered from SingleWith2Thresholds, you can use 'report' to access the content of the context and extract the N-th line. [---cut---] br, risto Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant ?tre assur?e sur Internet, la responsabilit? du groupe Atos Origin ne pourra ?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Atos Origin group liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
