hi Tom,
as you can see from our responses, there are actually a number of ways
for doing the suppression (with event correlation operations, with
contexts, etc.), and selecting the best option depends on what you
actually want to suppress and how you would like to do it. If you would
like to get an advise on specific scenario, you can post further details.
kind regards,
risto
On 06/18/2013 06:56 PM, John P. Rouillard wrote:
>
> In message
> <ddc33bd98faf2c44a3b1db9c9ad9d2113ab...@icts-s-mbx7.luna.kuleuven.be
>> , Tom De Dobbeleer writes:
>> It comes down to this: I need Sec to process multiple log files separately.
>> Otherwise I cannot use suppress when the same error occurs in multiple log
>> files!
>> Risto wrote that it was possible:
>>
>>> "SEC supports matching events coming from particular sources via
>>> file contexts. File context is a logical identifier for one or several
>>> files which can be used in SEC rules for restricting the scope
>>> of matching. File contexts can be set up with the --intcontexts
>>> command line option.
>>>
>>> If you would like to retrieve the input log file name after a regular
>>> expression match, there is a special match variable $+{_inputsrc}
>>> which is automatically set by SEC, and can be used alongside with $1,
>>> $2 and other regular match variables.
>>>
>>> Also, you are welcome to post your question to the SEC mailing list
>>> where most of the user discussion is taking place. The list is also
>>> most likely to provide you with a quick answer.
>>>
>>> kind regards, risto"
>>
>> Can someone provide a simple example of this?
>>
>> For example: I have two log files (log1, log2) and I want to process them
>> for the same error (error) with suppress. How can I make sure the second
>> error is not suppressed?
>
>> From the manpage for sec:
>
> type=Suppress
> ptype=TValue
> pattern=TRUE
> context=[!_FILE_EVENT_/dev/logpipe]
>
> passes only the lines that were read from /dev/logpipe.
>
> with sec started with --input=/dev/logpipe so starting sec with:
>
> sec --intcontext --input file1 --input file2 --conf=myconf
>
> where myconf includes:
>
> type=Suppress
> ptype=regexp
> pattern=ignore this line
> context=[_FILE_EVENT_file1]
>
> type=Single
> ptype=regexp
> pattern=ignore this line
> action = write - not ignoring $0 in $+{_inputsrc}
>
> will suppress "ignore this line" but only if it is seen in file1. If
>> the regexp is seen in file2 (or file ...), it will will write
>
> not ignoring ignore this line in file2
>
> (you may need to actually capture something in the regexp for the
> Single command to set $0, $+{_inputsrc} etc. Try it and see).
>
> The []'s around the context argument make the context evaluate before
> the pattern is applied and is a performance tweak since applying the
> pattern usually takes more time then evaluating a context.
>
> --
> -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
