Gary,
If you eval the match variables $1 - 5 to action list variables %whatever,
they continue to be available to subsequent rules after the current action
list has been executed and can be used in subsequent rules.
This section contains much information on this topic:
http://simple-evcorr.sourceforge.net/man.html#lbAI
Otherwise I would consider adding the patterns to the event store of a
context and using context operations to examine the event store and
generate the appropriate notifications/logging/messaging for your specific
needs.
add <name> [<string>]
String <string> is appended to the end of the event store of the context
<name>. The <name> parameter may not contain whitespace, and the <string>
parameter defaults to %s. If the context <name> does not exist, the
context is created with an infinite lifetime, empty action list and empty
event store (as with create <name>) before adding the string to event
store. If <string> is a multi-line string (i.e., it contains newlines), it
is split into lines, and each line is appended to the event store
separately.
getsize %<var> <name>
Find the number of strings in the event store of context <name>, and
assign this number to the action list variable %<var>. If the context
<name> does not exist, %<var> is set to Perl undefined value.
Alternatively, varmap allows you to take pattern matching, caching and and
key=value pairs a step or two further for use in complex pattern matching
and correlation operations and may also be of use to you.
http://simple-evcorr.sourceforge.net/man.html#lbAG (RegExp[N] section for
varmap details)
Hope this helps.
Aaron Erickson
[email protected]
Zoot Enterprises, Inc. www.zootweb.com
555 Zoot Enterprises Lane, Bozeman, MT 59718
406.556.7529 fax: 406.587.8414
This email, including any attachments, is confidential and may not be
redistributed without permission. If you are not an intended recipient,
you have received this message in error. Please notify us immediately by
replying to this message, and then deleting it from your computer. Thank
you.
From:
"Boyles, Gary P" <[email protected]>
To:
"[email protected]"
<[email protected]>,
Date:
06/28/2013 09:26 AM
Subject:
[Simple-evcorr-users] Variable Replacement for a specific event.
This is something I run into all the time. I have incoming event (example
#1 below) where I want to change the
message (or other variable) depending on how a rule executes.
The only method I?m familiar with in SEC, is to halt the current event
(continue=DontCont), and send out a new
event with the message altered in the action.
My question ? is there a way to change a variable in one rule, and have
all subsequent rules use the modified variable.
$1 $2 $3 $4 $5
1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have a problem here
!!!
I?d like to keep everything but the message ($5), but not have to send in
another event. Is this possible?
1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have had this problem
10 times today !!!
Thanks.
Gary Boyles
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
