What I tried before was similar. Here is the log message I am talking about:
Sep 30 14:27:30 host dhcpd: DHCPDISCOVER from 00:00:00:00:00:00 via 1.2.3.4: network 1.2.3/23: no free leases 'A' is the mac address and 'B' is the network. type=PairWithWindow ptype=RegExp pattern=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from (\S+) via \S+ network (\S+): no free leases desc=$2 no free leases action=none ptype2=RegExp pattern2=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from ^($1) via \S+ network ($2): no free leases desc2=$2 no free leases action action2=send email window=120 On Fri, 2010-10-01 at 11:12 -0400, John P. Rouillard wrote: > Hello: > > In message <1285944684.24023.5.ca...@kittyhawk.ittns.northwestern.edu>, > Mike Rykowski writes: > >I'm trying to do something simple and I must be missing something > >obvious. > > > >I have a log message of the form 'blah A blah B'. There could be > >duplicates of the exact same message that I want to ignore but if > >another message comes in with not A but B within a time period I want to > >do an action. > > > >For example 'blah A blah B' and within say 2 minutes I get a message > >'blah !A blah B' then do action. > > > >I tried doing the above with a pair rule but it does not work. > > I think you want a PairWithWindow rule not a pair rule. > > See if: > > type = pairwithwindow > desc = match starting line and extract elements > ptype = regexp > pattern = blah (\w+) blah (\w+) > rem = action if event B does not occur after event a within window > action = none > desc2 = match not first element with second element > ptype2 = substr > pattern2 = blah [!]$1 blah $2 > rem = action if event B occurs after event a within window > action2 = .... > window = 120 > > does what you want. > > -- > -- rouilj > John Rouillard > =========================================================================== > My employers don't acknowledge my existence much less my opinions. -- Mike Rykowski NU-IT Telecommunications and Network Services ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
