This issue is related to the proper value of the 'desc' parameter in rule definition. It has been discussed in the mailing list before many times -- for example, the following thread might provide some insight: http://sourceforge.net/mailarchive/message.php?msg_id=443817.36333.qm%40web33007.mail.mud.yahoo.com
Also, the SEC man page has a relevant section that explains the significance of the 'desc' field: http://simple-evcorr.sourceforge.net/sec.pl.html#lbAV I hope these sources can help you to tackle the issue. with kind regards, risto P.S. FYI, SourceFire recently introduced a search function for their mailing lists, and SEC list can now be searched at: http://sourceforge.net/search/?group_id=42089&type_of_search=mlists On 09/22/2009 08:30 PM, Roger Warner wrote: > > I am having a problem with getting record matches after the suppress > window should be skipping/passing by my rule. > > Background. I'm am attempting to use SEC to scan for Java stack traces > in application logs. To that end I'm doing a multiline RegExp so I > can both match the trace and get the trace captured in $0. > > The rule I use is: > > type=SingleWithSuppress > ptype=RegExp10 > pattern=^\[.+MDBException\:(.*)\n[^\[]+ > desc=$0 > action=pipe '' /usr/bin/mailx -s "MDBException on QA ($1)"<mail address > excluded> > window=300 > > > What I'm seeing is sometimes I see multiple matches/emails in the same > second as the initial match, and other times what I see is emails coming > in before the 300 sec interval has expired. > > Am I misusing SingleWithSupress or should I be using some other type? > > Thanks, > > Roger > > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users