What I want to do is ignore subsequent messages if the mac and network are the same. But if a subsequent message has the same network but different mac then send email.
So it seems I'd like to see your example solutions :) On Fri, 2010-10-01 at 19:17 +0300, Risto Vaarandi wrote: > hi Mike, > > I have almost completed two possible example solutions to the problem, > but after seeing your e-mail I have an inkling I've got the problem > statement wrong :( > So far I had an impression that you would like to do some clever > pairwise correlation for events that are matched by (almost) identical > regular expressions. (Just a note: if the expressions are almost the > same, it is actually a bit tricky with Pair* rules.) > However, from the example I've got an understanding that you would > simply like to suppress duplicate alarms for within a given time window, > provided that *both* the MAC address and the network are the same. Is my > understanding correct? > If so, you could try the following rule: > > type=SingleWithSuppress > ptype=RegExp > pattern=\S+\s+\S+\s+\S+\s+\S+ dhcpd: DHCPDISCOVER from (\S+) via \S+ > network (\S+): no free leases > desc=$2 no free leases for MAC $1 > action=send email > window=120 > > If I didn't get it quite right, I'll post my two example solutions :) -- Mike Rykowski NU-IT Telecommunications and Network Services ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
