John. I will give that a try and see if $1..$n get set.
Thanks for the quick comeback. Gary -----Original Message----- From: John P. Rouillard [mailto:rou...@cs.umb.edu] Sent: Friday, October 12, 2012 10:00 AM To: simple-evcorr-users@lists.sourceforge.net Subject: Re: [Simple-evcorr-users] Use Of lcall. In message <eddf5556138a864f836192f6d101812a110c6...@fmsmsx104.amr.corp.intel.c om>, "Boyles, Gary P" writes: >Is it possible to set %xx variables as part of a pattern return, >or $n, or is that also just reserved for "action" statements. %x variables (for X not an integer) are set with action statements. %1...%N variables are set to the values of $1, ...$N in a dual-regexp correlation rule (e.g. pair) so that $1... has the values matched from the most recent regexp pattern and %1... has the values matched from the first regexp in the correlation rule. >From my reading of the man page and my recollection, a perlfunc returning multiple values will have those values assigned to $1, $2 ... $N ($0 is assigned to the current event). Then using an action command you can assign $1 to any %x variable you like. >For example... this code works, but I'd like to retain the node and class >name, and send back to SEC for use by other rules. Any idea on how that >would be accomplished? > >This works... but how to retain node and class in $1 and $2, or %node_class >??? > >type=Single >continue=DontCont >ptype=perlfunc >pattern=sub { \ > my(@myLine) = (); \ > my($myNode) = "0"; \ > my($myClass)= "0"; \ > @myLine = split(/\s+::\s+/, $_[0]); \ > if (defined($myLine[1])) { $myNode = $myLine[1]; } \ > if (defined($myLine[2])) { $myClass = $myLine[2]; } \ > if ( exists $suppressTbl{$myNode}) \ > { if ($suppressTbl{$myNode} =~ /$myClass|0/i) { return 1; } } \ return 0; \ > } >desc=NodeAndClassSuppress::$0 >action=write /sec/log/sec.suppress.log %s I think you should not return 1, instead use: return ($myNode, $myClass) for success which should be assigned to $1 and $2 respectively. You would still use "return 0;" for the failure case. See also: http://simple-evcorr.sourceforge.net/FAQ.html#24 -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
