On 1/20/2011 12:40 PM, Morris, Patrick wrote:
> On 1/20/2011 11:26 AM, Morris, Christopher wrote:
>>
>>
>> type=SingleWithThreshold
>>
>> continue=takenext
>>
>> ptype=RegExp
>>
>> pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
>>
>> desc=Liberty at host:port $1 reporting $2
>>
>> action=report liberty_$1 /usr/bin/mailx -s "%s"
>> [email protected] [email protected]; \
>>
>> delete liberty_$1
>>
>> window=21600
>>
>> thresh=20
>>
>>
>>
>> type=single
>>
>> ptype=regexp
>>
>> pattern=:\d\d \S+ .*Liberty app at (\S+) (.*)
>>
>> desc=Liberty error messages
>>
>> action=add liberty_$1 $0
>>
>
> I may be missing something, but I don't see that you're actually doing
> anything with the context you're adding to in rule #2. If it's not
> used for anything, then you're right: it's redundant. It looks to me
> like all your work's being done in the first rule, and the second is
> just saving a value that's never used anywhere.
No, it is used -- the first rule reports and removes the context when
the threshold condition is met, and the second is an accumulator. I
have similar rule pairs in our rulesets and I don't think you have much
of a choice. You need one rule to keep adding the data and one to
report it. If there is way to do that all in one to avoid repeating the
pattern, love to hear how!
Mark
--
Mark D. Nagel, CCIE #3177 <[email protected]>
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854
*** Please send support requests to [email protected]! ***
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
