Hi all:
It looks like I have a reason to use the rewrite rule to normalize
some data. From reading the man page, I think this should work:
type=single
ptype=regexp
pattern= ^([^[]*): (\[[0-9]\]:.*)$
desc = normalize 'process: [pid]:' into 'process[pid]:'
action = rewrite 1 $1$2
continue=takenext
type = single
desc = this rule should see the normalized event in the rewritten buffer
...
Is this correct?
>From this it looks like:
I must have continue set to TakeNext/GoTo otherwise the handling of the
event ends and new event is pushed on the front of the buffer.
If so that is a useful thing to mention in the decription of the
rewrite action. Since it allows the effect of the action to take
effect the same processing cycle. Unlike the event action where the
new event is processed on the next cycle through the loop.
Also I assume that the following rules in the processing loop will see
the rewritten event in the updated buffer. Is that correct? Or is
rewrite only useful for rewriting the event buffer for future
multi-line correlation rules?
It seems this was described on the mailing list during the development
of the action, but my google fu isn't being helpful here.
Thanks.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
