In message <507230e0.3040...@umn.edu>,
Tim Peiffer writes:
>I am trying to figure out how to elegantly write a generalized ruleset
>that follows the basic form:
>
>Time: EventSet VarHost VarPort VarThreshold
>Time+X: EventClear VarHost VarPort VarThreshold
>
>and I am looking for ideas. The paired event is defined as:
>EventSet.VarHost == EventClear.VarHost) and ( EventSet.VarPort ==
>EventClear.VarPort)
>
>How would one write a ruleset that covers the above?
Would
type = pair
desc = general framework for matching $1 $2
ptype = regexp
rem = ([\w.-]+) = $1 = VarHost; (\d+) = $2 = VarPort
pattern = EventSet ([\w.-]+) (\d+)
action = do something when pattern 1 happens
ptype2 = substr
pattern2 = EventClear $1 $2
action2 = do something then pattern 2 matches
window = X (where X is the time window you want)
work?
This extracts the VarHost and VarPort from the event at Time, starts a
correlation operation which must be completed within X seconds by an
EventClear where the VarHost and VarPort match that of the original
event. Actions are fired at two points:
1) when event 1 arrives
2) when event 2 arrives
if event 2 arrives > X seconds after event 1 it will not be captured
by this rule.
Because the description includes $1 and $2 you will get a new
correlation operation for every pair of different host and port pairs.
Since you didn't require VarThreshold to be used, I ignored it.
You didn't actually give examples of the events you are trying to
match, so you will have to modify pattern. If you want a
different action sequence you may need to use PairWithWindow. Also
you didn't specify if Time+X is exactly X seconds after time or just
some random number of seconds after Time.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
