Hello:
In message <1285944684.24023.5.ca...@kittyhawk.ittns.northwestern.edu>,
Mike Rykowski writes:
>I'm trying to do something simple and I must be missing something
>obvious.
>
>I have a log message of the form 'blah A blah B'. There could be
>duplicates of the exact same message that I want to ignore but if
>another message comes in with not A but B within a time period I want to
>do an action.
>
>For example 'blah A blah B' and within say 2 minutes I get a message
>'blah !A blah B' then do action.
>
>I tried doing the above with a pair rule but it does not work.
I think you want a PairWithWindow rule not a pair rule.
See if:
type = pairwithwindow
desc = match starting line and extract elements
ptype = regexp
pattern = blah (\w+) blah (\w+)
rem = action if event B does not occur after event a within window
action = none
desc2 = match not first element with second element
ptype2 = substr
pattern2 = blah [!]$1 blah $2
rem = action if event B occurs after event a within window
action2 = ....
window = 120
does what you want.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
