Hi Risto, Many thanks! Aliases... that's what we've missed.
I will give this a try and let everyone know. And yes, many thanks to John Rouillard's work. I began reading it the other day and it has been very informative. I'm going to send him an email this afternoon and drop him a note of thanks. --Edward ________________________________________ From: Risto Vaarandi [[email protected]] Sent: Friday, April 29, 2011 6:22 AM To: [email protected] Subject: Re: [Simple-evcorr-users] SEC Rule Help hi Edward, the task you have can be addressed with the help of context aliases. The following simplistic rule sets up a context and an alias for an observed event. The alias will suppress further events with the same FRQ number, but if an event with different number comes in, the context is deleted (which also gets rid of the previous alias!) and recreated with an alias for new FRQ number: type=Single ptype=RegExp pattern=([\d.]+) 0 latest frq (\d+) desc=FRQ $2 event from IP $1 context=!FRQ_$2_FROM_$1 action=write - %s; delete FRQ_FROM_$1; \ create FRQ_FROM_$1; alias FRQ_FROM_$1 FRQ_$2_FROM_$1 Note that having the main context associated with IP only allows for erasing alias for previous FRQ number, even though the number is not memorized explicitly. Finally, lets thank John Rouillard for proposing the idea of having context aliases couple of years ago :) kind regards, risto On 04/28/2011 11:41 PM, Gleeck, Edward Joseph. (GSFC-444.0)[CAELUM RESEARCH CORP] wrote: > > First off, SEC rocks! We’ve been using it for quite some time. > > I was hoping to get some help in regards to creating a specific set of > rules. > > Here’s what I have. I would like to know when an event changes. Consider > the following events: > > Apr 22 2004 127.0.0.0 0 latest frq 0 > Apr 22 2004 127.0.0.0 0 latest frq 0 > Apr 22 2004 127.0.0.0 0 latest frq 0 > Apr 22 2004 127.0.0.0 0 latest frq 2 > Apr 22 2004 127.0.0.0 0 latest frq 3 > Apr 22 2004 127.0.0.0 0 latest frq 3 > Apr 22 2004 127.0.0.0 0 latest frq 4 > > I would like to take action when frq changes from 0 to 2 or from 3 to 4. > I’m not interested in the same values. NOW, to complicate matters these > types of events aren’t the only ones we are receiving, so, our events > now look like: > > Apr 22 2004 127.0.0.0 0 latest frq 0 > Other events > Apr 22 2004 127.0.0.0 0 latest frq 0 > Other events > Other events > Apr 22 2004 127.0.0.0 0 latest frq 0 > Apr 22 2004 127.0.0.0 0 latest frq 2 > Apr 22 2004 127.0.0.0 0 latest frq 3 > Apr 22 2004 127.0.0.0 0 latest frq 3 > Other events > Apr 22 2004 127.0.0.0 0 latest frq 4 > > If the events we’re receiving only contains the latest frq events, then > I could easily compare that using sub {$_[0] ne $_[1]}, but it’s not. > > Any help would be much appreciated. > > Thanks, > Edward > > > > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
