I tested the rule briefly and for me it fired only once. On the other hand, I acknowledge I hadn't time to consider every possible side-effect of the expression. However, you might want to consider the following expression: (?s).*WY_LOG_TYPE_ERROR\s*<<\*\*(.*)\*\*>>$ Due to greedy matching of quantifiers, .*WY_LOG_TYPE_ERROR always hits the beginning of last error message block. If you have many error messages in the input buffer simultaneously, the above expression might be somewhat more efficient. br, risto
On 03/28/2011 05:46 PM, Varun Shankar wrote: > Risto > > As you suggested, I have written the regular expression to select only > the last entry. The regular expression works fine. > I am sharing the content of conf file below > > /type=Single/ > /ptype=RegExp500/ > /desc=$1/ > /pattern=(?s)WY_LOG_TYPE_ERROR\s*<<\*\*(?!.*WY_LOG_TYPE_ERROR)(.*)\*\*>>$/ > /action=logonly/ > > The problem now is SEC is firing the event twice. So if I set > action=logonly, its getting logged twice. If I set action=(send mail to > me), its sending two mails. > > Any help will be highly appreciated. > > On Mon, Mar 28, 2011 at 2:24 PM, Risto Vaarandi <risto.vaara...@seb.ee > <mailto:risto.vaara...@seb.ee>> wrote: > > Well, instead of clearing a buffer, write the regular expression in > the way that it would match only once. Note that by default ^ and $ > match only the beginning and end of the buffer, not the newlines in > it. For example, (.*)\n(.*)$ matches two last lines from the buffer. > kind regards, > risto > > > On 03/28/2011 10:20 AM, Varun Shankar wrote: > > Risto > > Thanks for your help. Yes it worked. But I am facing another > problem here. > Say I mention --bufsize=500 and use ptype=RegExp500 > > Now say 20 lines are logged in the input file. It matches correctly. > Next time 50 more lines are logged in the input file, but this > time the > previous 20 lines are still there in the buffer. So the regular > expression matches them also. > How can I clear the input buffer each time? > > > On Fri, Mar 25, 2011 at 8:32 PM, Risto Vaarandi > <risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee> > <mailto:risto.vaara...@seb.ee <mailto:risto.vaara...@seb.ee>>> > wrote: > > On 03/25/2011 02:27 PM, Supratik Goswami wrote: > > Hi > > > > I want to extract everything with multiple lines between two > markers. > > > > I want to display everything between: > > > > /WY_LOG_TYPE_ERROR <<**/ > > > > > > /**>>/ > > / > > / > > / > > / > > So if the text entered in the log file > > > > /WY_LOG_TYPE_ERROR <<**/ > > /================================/ > > / 2011-03-25 06:08:30/ > > /================================/ > > /Blah blah blah/ > > / > > / > > / > > /Blah blah blah/ > > / > > / > > / > > / > > /Blah blah blah/ > > / > > / > > / > > / > > /Blah blah blah/ > > / > > / > > / > > /**>>/ > > > > It should match and display everything between the two markers > including > > the markers. > > > > I tried the following regular expression patterns but it is not > working: > > > > * pattern=(?s)WY_LOG_TYPE_ERROR\s*<<\*\*(.)*>>\*\* > > * pattern=(?s)WY_LOG_TYPE_ERROR\s*<<\*\*(.|\n)*>>\*\* > > * pattern=WY_LOG_TYPE_ERROR\s*<<\*\*(.|\n)*>>\*\* > > > > > > Can you please tell me what I am missing here. > > If you want to match multiple lines at once, you should also > set 'ptype' > field accordingly -- instead of RegExp, you have to use > RegExpN. Also, > default maximum value for N is 10, so if you want to match > more than 10 > lines at once, you have to set --bufsize command line option > accordingly. > regards, > risto > > > > > -- > > Warm Regards > > > > Supratik > > > > > > > > > > > ------------------------------------------------------------------------------ > > Enable your software for Intel(R) Active Management Technology to > meet the > > growing manageability and security demands of your customers. > Businesses > > are taking advantage of Intel(R) vPro (TM) technology - will your > software > > be a part of the solution? Download the Intel(R) Manageability > Checker > > today! http://p.sf.net/sfu/intel-dev2devmar > > > > > > > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > ------------------------------------------------------------------------------ > Enable your software for Intel(R) Active Management > Technology to > meet the > growing manageability and security demands of your > customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will > your > software > be a part of the solution? Download the Intel(R) > Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net> > <mailto:Simple-evcorr-users@lists.sourceforge.net > <mailto:Simple-evcorr-users@lists.sourceforge.net>> > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > -- > Regards, > Varun Shankar > > > > > > -- > Regards, > Varun Shankar ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
