Here is my simple test config:
#-----------------------------------------#
type=SingleWithThreshold
ptype=RegExp
pattern=error
desc=Error Catcher
action=write - Got 5 in 30
window=30
thresh=5
type=Single
ptype=RegExp
pattern=reset
desc=Reset Error Catcher
action=reset "Error Catcher"
#-----------------------------------------#
I try to run it as this:
damir@damirda:~/projects/sec$ ./sec-2.7.4/sec -conf=reset.conf -input=-
SEC (Simple Event Correlator) 2.7.4
Reading configuration from reset.conf
2 rules loaded from reset.conf
Opening input file -
Interactive process, SIGINT can't be used for changing the logging level
error #(every second one "error")
error
error
error
error
Writing event 'Got 5 in 30' to file -
Got 5 in 30
reset
Terminating all event correlation operations started from reset.conf with
operation description string '"Error Catcher"'
error
error
error
error
error
error
error
error
...
As I understand it, after reset, it should report again after just 5
errors, but it is not.
On Mon, Sep 23, 2013 at 12:21 PM, Mark D. Nagel <[email protected]>wrote:
> On 9/23/2013 12:35 AM, Damir Markovic wrote:
> > For the past few days, I am trying to figure out how to do the
> > following thing:
> > I have SingleWithThreshold rule that sends message if I receive
> > particular error 5 times in 60 minutes. After that, errors are ignored
> > for the rest of the time. I would like to reset that if some other
> > action happens.
> >
> > For example, someone runs script to fix the issue and I want the rule
> > to be active again, counting 5 errors and notifying about them.
> >
> > Is this even possible?
> >
>
> Yes, see the 'reset' action:
>
> reset [<offset>] [<string>]
> Terminate event correlation operation(s) with the
> operation description string <string>. Note that the reset action works
> only for operations started from the same configura-
> tion file. The <offset> parameter is used to refer to a
> specific rule in the configuration file. If <offset> is given, the
> operation started by the given rule is terminated
> (if it exists). If <offset> is an unsigned integer N, it
> refers to the N-th rule in the configuration file. If <offset> is 0, it
> refers to the current rule. If <offset>
> begins with the plus (+) or minus (-) sign, it specifies
> an offset from the current rule (e.g., -1 denotes the previous and +1
> the next rule). If <offset> is not given, SEC
> checks for each rule from the current configuration file
> if an operation with <string> has been started by this rule, and the
> operation is terminated if it exists. Default
> value for <string> is %s. For additional information, see
> EVENT CORRELATION OPERATIONS section.
>
> So, if your SingleWithThreshold desc parameter is 'Saw 5 events in the
> last 60 minutes' (contrived), then 'action=reset "Saw 5 events in the
> last 60 minutes"' should do the trick.
>
> Regards,
> Mark
>
> --
> Mark D. Nagel, CCIE #3177 <[email protected]>
> Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
> cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277
>
> ** For faster support response time, please
> ** email [email protected] or call 714-495-4000
>
>
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
> SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
