Hello all:
I have a number of rules that looks like:
# Create the context that will issue a warning on its expiration.
# timestamps arrive every 10 minutes by default, so time out in 21
# minutes.
type= single
desc= Detect missing timestamps
ptype= regexp
pattern= ([A-z0-9._-]+) (heartbeat): .*-- HEARTBEAT --$
action= create timestamp_for_$1_$2_active 610 ( \
shellcmd /bin/mailx -s \
"Missing timestamp mark for $1 facility $2" rouilj; \
event 0 $0 REARM); \
delete timestamp_double_rearm_$1_$2; \
delete timestamp_single_rearm_$1_$2
When a new event comes in I have to delete some prior tracking
contexts (indicating that the event has been missed for 30 and 60
minutes).
However I don't know if the tracking contexts were created. I could
use a single rule with a context and pass the heartbeat message to all
3 rules using continue = takenext as in:
type= single
desc= Delete a context on receipt of a haertbeat message
continue = takenext
ptype= regexp
pattern= ([A-z0-9._-]+) (heartbeat): .*-- HEARTBEAT --$
context = timestamp_double_rearm_$1_$2
action= delete timestamp_double_rearm_$1_$2
(more rules of this form then the first rule that creates the context
would be here.)
but that is extra processing work even if I use a preparsed (cached)
pattern and I have more than 120 events/sec that have to be processed.
The reason I care is that each delete triggers a log entry like:
Tue Mar 20 19:05:48 2012: Context
'timestamp_double_rearm_fw1.example.com_heartbeat' does not
exist or is going through deletion, can't delete
So what I would like is a delete statement that doesn't log anything
if the context doesn't exist. I thought of a few ways to do it:
new action qdelete (quiet delete)
qdelete <context name>
named argument to current delete command:
delete --missing_ok <context name>
(Sadly I think a context name can start with --, so the argument form
may not be possible.)
I wouldn't want to turn the warning off for all deletes as there are
times when I delete the context and it must/should exist. But there
are times when I don't know or care and I would like to have a way to
suppress the hundreds of warnings (and the time taken to write them)
in the log.
Anybody have any thoughts on other ways to deal with the problem?
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
