On 01/21/2011 01:25 AM, Mark D. Nagel wrote: > On 1/20/2011 12:40 PM, Morris, Patrick wrote: >> On 1/20/2011 11:26 AM, Morris, Christopher wrote: >>> >>> >>> type=SingleWithThreshold >>> >>> continue=takenext >>> >>> ptype=RegExp >>> >>> pattern=:\d\d \S+ .*Liberty app at (\S+) (.*) >>> >>> desc=Liberty at host:port $1 reporting $2 >>> >>> action=report liberty_$1 /usr/bin/mailx -s "%s" [email protected] >>> [email protected]; \ >>> >>> delete liberty_$1 >>> >>> window=21600 >>> >>> thresh=20 >>> >>> type=single >>> >>> ptype=regexp >>> >>> pattern=:\d\d \S+ .*Liberty app at (\S+) (.*) >>> >>> desc=Liberty error messages >>> >>> action=add liberty_$1 $0 >>> >> >> I may be missing something, but I don't see that you're actually doing >> anything with the context you're adding to in rule #2. If it's not >> used for anything, then you're right: it's redundant. It looks to me >> like all your work's being done in the first rule, and the second is >> just saving a value that's never used anywhere. > > No, it is used -- the first rule reports and removes the context when > the threshold condition is met, and the second is an accumulator. I > have similar rule pairs in our rulesets and I don't think you have much > of a choice. You need one rule to keep adding the data and one to > report it. If there is way to do that all in one to avoid repeating the > pattern, love to hear how!
I have planned pattern match caching for the 2.6.0 version, but due to time constraints was simply not able to implement in 2.6.alpha1/2 :( kind regards, risto > > Mark > > -- > Mark D. Nagel, CCIE #3177<[email protected]> > Principal Consultant, Willing Minds LLC (http://www.willingminds.com) > cell: 949-279-5817, desk: 714-495-4001, fax: 949-623-9854 > > *** Please send support requests [email protected]! *** > > > > ------------------------------------------------------------------------------ > Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! > Finally, a world-class log management solution at an even better price-free! > Download using promo code Free_Logger_4_Dev2Dev. Offer expires > February 28th, so secure your free ArcSight Logger TODAY! > http://p.sf.net/sfu/arcsight-sfd2d > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)! Finally, a world-class log management solution at an even better price-free! Download using promo code Free_Logger_4_Dev2Dev. Offer expires February 28th, so secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsight-sfd2d _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
