Ah, yes, it works that way.
Thank you.
Great work, btw! :-)
On Mon, Sep 23, 2013 at 10:11 PM, Risto Vaarandi
<[email protected]>wrote:
> hi Damir,
> if you remove double quotes around Error Catcher, 'reset' action will work
> properly. This parameter does not need quoting, and any extra symbols are
> regarded as a part of the parameter.
> kind regards,
> risto
>
>
> 2013/9/23 Damir Markovic <[email protected]>
>
>> Here is my simple test config:
>> #-----------------------------------------#
>> type=SingleWithThreshold
>> ptype=RegExp
>> pattern=error
>> desc=Error Catcher
>> action=write - Got 5 in 30
>> window=30
>> thresh=5
>>
>> type=Single
>> ptype=RegExp
>> pattern=reset
>> desc=Reset Error Catcher
>> action=reset "Error Catcher"
>> #-----------------------------------------#
>> I try to run it as this:
>> damir@damirda:~/projects/sec$ ./sec-2.7.4/sec -conf=reset.conf -input=-
>> SEC (Simple Event Correlator) 2.7.4
>> Reading configuration from reset.conf
>> 2 rules loaded from reset.conf
>> Opening input file -
>> Interactive process, SIGINT can't be used for changing the logging level
>> error #(every second one "error")
>> error
>> error
>> error
>> error
>> Writing event 'Got 5 in 30' to file -
>> Got 5 in 30
>> reset
>> Terminating all event correlation operations started from reset.conf with
>> operation description string '"Error Catcher"'
>> error
>> error
>> error
>> error
>> error
>> error
>> error
>> error
>> ...
>>
>> As I understand it, after reset, it should report again after just 5
>> errors, but it is not.
>>
>>
>>
>>
>> On Mon, Sep 23, 2013 at 12:21 PM, Mark D. Nagel
>> <[email protected]>wrote:
>>
>>> On 9/23/2013 12:35 AM, Damir Markovic wrote:
>>> > For the past few days, I am trying to figure out how to do the
>>> > following thing:
>>> > I have SingleWithThreshold rule that sends message if I receive
>>> > particular error 5 times in 60 minutes. After that, errors are ignored
>>> > for the rest of the time. I would like to reset that if some other
>>> > action happens.
>>> >
>>> > For example, someone runs script to fix the issue and I want the rule
>>> > to be active again, counting 5 errors and notifying about them.
>>> >
>>> > Is this even possible?
>>> >
>>>
>>> Yes, see the 'reset' action:
>>>
>>> reset [<offset>] [<string>]
>>> Terminate event correlation operation(s) with the
>>> operation description string <string>. Note that the reset action works
>>> only for operations started from the same configura-
>>> tion file. The <offset> parameter is used to refer to a
>>> specific rule in the configuration file. If <offset> is given, the
>>> operation started by the given rule is terminated
>>> (if it exists). If <offset> is an unsigned integer N, it
>>> refers to the N-th rule in the configuration file. If <offset> is 0, it
>>> refers to the current rule. If <offset>
>>> begins with the plus (+) or minus (-) sign, it specifies
>>> an offset from the current rule (e.g., -1 denotes the previous and +1
>>> the next rule). If <offset> is not given, SEC
>>> checks for each rule from the current configuration file
>>> if an operation with <string> has been started by this rule, and the
>>> operation is terminated if it exists. Default
>>> value for <string> is %s. For additional information, see
>>> EVENT CORRELATION OPERATIONS section.
>>>
>>> So, if your SingleWithThreshold desc parameter is 'Saw 5 events in the
>>> last 60 minutes' (contrived), then 'action=reset "Saw 5 events in the
>>> last 60 minutes"' should do the trick.
>>>
>>> Regards,
>>> Mark
>>>
>>> --
>>> Mark D. Nagel, CCIE #3177 <[email protected]>
>>> Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
>>> cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277
>>>
>>> ** For faster support response time, please
>>> ** email [email protected] or call 714-495-4000
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>>> SharePoint
>>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>>> includes
>>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>>>
>>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
>> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8,
>> SharePoint
>> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
>> includes
>> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
