hi all,
although Perl regular expression engine is very fast, I have recently started
thinking about a new pattern type which would allow one to reuse the results of
previous matches. This would be very handy in cases where multiple rules have
exactly the same pattern. Also, one can separate event parsing task from other
rules with the new feature.
The following is just one possible way to implement this new feature:
- with the 'createpattern' action, one can create new patterns which exist
until the input buffer is updated with a new line,
- when 'createpattern' is called, the values of match variables ($1, $2, ...)
from the current pattern match are cached for future use,
- if 'ptype' field of the rule is set to 'custom', a check is made whether a
pattern with a given name exists; if so, the pattern will match and the
previously cached match variables values will be used for setting $1, $2, etc.
In the following example, the user creates a pattern SYSLOG if the last line in
the input buffer matches the regular expression in the first rule.
The results of the match are then reused by the second rule:
type=Single
ptype=RegExp
pattern=([\w\-.]+) ([\w\-.]+)\[(\d+)\]: (.*)
desc=parse a syslog message
action=createpattern SYSLOG
type=Single
ptype=custom
pattern=SYSLOG
desc=Received syslog message $4 from host $1
action=logonly
I've also been thinking about introducing optional named fields for custom
patterns. For example, if in the first rule one writes
action=createpattern SYSLOG HOST,PROGRAM,,MESSAGE
then the HOST, PROGRAM and MESSAGE fields will be set to $1, $2 and $4,
respectively. If in the second rule one writes
pattern=SYSLOG MESSAGE,HOST
the MESSAGE field will set $1 and the HOST field $2. This would allow for
rearranging the variables if needed, and making them more readable.
Note that once a new line is read from an input file and stored into input
buffer, the SYSLOG pattern would cease to exist, and pattern=SYSLOG would
evaluate false (until SYSLOG will be recreated with 'createpattern' action).
Any thoughts?
risto
------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
