Thank you Aaron. I will take a look and see how to apply it to my situation.
From: [email protected] [mailto:[email protected]]
Sent: Friday, June 28, 2013 9:57 AM
To: Boyles, Gary P
Cc: [email protected]
Subject: Re: [Simple-evcorr-users] Variable Replacement for a specific event.
Gary,
If you eval the match variables $1 - 5 to action list variables %whatever, they
continue to be available to subsequent rules after the current action list has
been executed and can be used in subsequent rules.
This section contains much information on this topic:
http://simple-evcorr.sourceforge.net/man.html#lbAI
Otherwise I would consider adding the patterns to the event store of a context
and using context operations to examine the event store and generate the
appropriate notifications/logging/messaging for your specific needs.
add <name> [<string>]
String <string> is appended to the end of the event store of the context
<name>. The <name> parameter may not contain whitespace, and the <string>
parameter defaults to %s. If the context <name> does not exist, the context is
created with an infinite lifetime, empty action list and empty event store (as
with create <name>) before adding the string to event store. If <string> is a
multi-line string (i.e., it contains newlines), it is split into lines, and
each line is appended to the event store separately.
getsize %<var> <name>
Find the number of strings in the event store of context <name>, and assign
this number to the action list variable %<var>. If the context <name> does not
exist, %<var> is set to Perl undefined value.
Alternatively, varmap allows you to take pattern matching, caching and and
key=value pairs a step or two further for use in complex pattern matching and
correlation operations and may also be of use to you.
http://simple-evcorr.sourceforge.net/man.html#lbAG (RegExp[N] section for
varmap details)
Hope this helps.
Aaron Erickson
[email protected]<mailto:[email protected]>
Zoot Enterprises, Inc. www.zootweb.com
555 Zoot Enterprises Lane, Bozeman, MT 59718
406.556.7529 fax: 406.587.8414
This email, including any attachments, is confidential and may not be
redistributed without permission. If you are not an intended recipient, you
have received this message in error. Please notify us immediately by replying
to this message, and then deleting it from your computer. Thank you.
From:
"Boyles, Gary P" <[email protected]<mailto:[email protected]>>
To:
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>,
Date:
06/28/2013 09:26 AM
Subject:
[Simple-evcorr-users] Variable Replacement for a specific event.
________________________________
This is something I run into all the time. I have incoming event (example #1
below) where I want to change the
message (or other variable) depending on how a rule executes.
The only method I'm familiar with in SEC, is to halt the current event
(continue=DontCont), and send out a new
event with the message altered in the action.
My question - is there a way to change a variable in one rule, and have all
subsequent rules use the modified variable.
$1 $2 $3 $4 $5
1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have a problem here !!!
I'd like to keep everything but the message ($5), but not have to send in
another event. Is this possible?
1372432672 :: gpbux0001 :: mon_sql :: CRITICAL :: I have had this problem 10
times today !!!
Thanks.
Gary
Boyles------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev_______________________________________________
Simple-evcorr-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
