On 12/13/2011 08:26 PM, Mark D. Nagel wrote: > On 12/13/2011 4:20 AM, Risto Vaarandi wrote: >> hi all, >> some months ago, we had a discussion on rewriting input events: >> >> http://sourceforge.net/mailarchive/forum.php?thread_name=4E066179.3010304%40willingminds.com&forum_name=simple-evcorr-users >> >> >> Would a similar feature be of interest to the end users? :) >> I was thinking about attacking the problem in a more general way, but >> couldn' find a truly elegant solution :( > > Obviously, I'd still like that :). We are in the middle of planning a > change of Windows Event Log export tools, and of course the format is > different. Instead of rewriting all our rules, we could instead > transform the new input to look like the old input. Of course, with > the new cached pattern tools, we could redo our rules once to extract > the fields we need and then change the extraction rules instead to match > the new input, using the cached fields in the revised ruleset. > Regardless, being able to transform input in place with no other changes > in context, etc. would be a handy tool to have available. > > Thanks, > Mark >
hi all, I have finished working on the new input buffering scheme which allows for using separate input buffers for each input source (plus a separate buffer for synthetic events). The old one-buffer-for-all scheme is also present in the code, and the work mode can be changed with --jointbuf and --nojointbuf options. This added functionality will make multiple line patterns much more useful, and would also make event rewriting more powerful. I've now started to think how the rewriting can actually be done. A separate rule is one option, but my personal preference lies with a special 'rewrite' or 'replace' action (an action would allow for rewriting from any rule type). With an action, there are several implementation avenues: 1) rewrite <somestring> -- if <somestring> is made up of N lines, the action will replace last N lines in the input buffer with <somestring>. 2) rewrite <amount> <somestring> -- <amount> specifies the number of lines which need rewriting. If <somestring> contains more than <amount> lines, only first <amount> lines are written; if <somestring> has lesser amount of lines, leading empty lines will be added. Are there any other ideas how one could do rewriting? kind regards, risto ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
