hi Pedro,
one way to tackle the problem is to keep a hash table in memory which
holds login counts for each particular username and DBname pair. The
first rule creates a counter "username:DBname" with value 1 in the
hash table at the first login, and the second increments the counter
at each duplicate login. The last rule decrements the counter at each
logout and removes it if its value has become 0:
type=Single
ptype=RegExp
pattern=\S+ \| (\w+) \| \d+ \| \S+ \| OPEN:(\w+)
context=$1:$2 -> ( sub { return !exists($hash{$_[0]}); } )
desc=Unique login for user $1 and db $2
action=lcall %o $1:$2 -> ( sub { $hash{$_[0]} = 1; } ); write - %s
type=Single
ptype=RegExp
pattern=\S+ \| (\w+) \| \d+ \| \S+ \| OPEN:(\w+)
desc=Duplicate login for user $1 and db $2
action=lcall %o $1:$2 -> ( sub { ++$hash{$_[0]}; } ); write - %s (%o logins)
type=Single
ptype=RegExp
pattern=\S+ \| (\w+) \| \d+ \| \S+ \| CLOSE:(\w+)
context=$1:$2 -> ( sub { return exists($hash{$_[0]}); } )
desc=Logout for user $1 and db $2
action=lcall %o $1:$2 -> ( sub { if (!--$hash{$_[0]}) { delete
$hash{$_[0]}; } })
Hope this helps,
risto
2012/1/3 Pedro Rafael Alves Simoes <pedro.a.sim...@gmail.com>:
> Hello,
>
> I have a situation where I need to detect duplicated logins to a
> database. For example:
>
> format of the messages (I simplified the format for readability):
> from_machine_1 | user_x | session_id | db_engine | OPEN:db_name
>
> example :
> host_a | userA | 1234 | engineX | OPEN:somedb
> host_a | userA | 8765 | engineX | OPEN:somedb
> host_b | userA | 3455 | engineX | OPEN:somedb
>
> These are all duplicated logins. The only static fields are the user
> and the db name. The problem is that I also need to correlate the end
> of the logins:
>
> host_a | userA | 1234 | engineX | CLOSE:somedb
>
> The correlation of the OPEN/CLOSE its easy using a context
> representing the open session. So when I get a OPEN message I create
> the context with all the fields and a window waiting for the CLOSE.
> When the CLOSE arrives within the window, I delete the context. The
> problem is the duplicates that could arrive in the meantime. I can
> create another context with only the user and the db name,
> representing a session from that user to the db, but I don't know when
> to delete this context, because the presence of a CLOSE, doesn't mean
> that all the duplicated sessions have ended. I did some hacks in the
> action with de main::context_list variable, adding all the OPEN's to
> the more general context (the one with only the user and db name) but
> I don't know if it is the best way because it won't work with the
> order of the messages that I send in attach. It will work on the first
> time, but when I send again the same messages, the first OPEN
> xpto.tmn.pt doesn't do anything.
>
> The rules, messages and output will go in attach.
>
> I will appreciate some help.
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create
new or port existing apps to sell to consumers worldwide. Explore the
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
