Re: [Simple-evcorr-users] Realy Realy newbie question

[Risto Vaarandi]

hi Pedro,
may I ask one question -- are you actually interested in detecting a
flapping sensor that changes between "up" and "down" in quick succession?
For example, would you like to react if the sensor has changes its status
from up to down 3 times during the last 10 minutes?
If so, sec can provide a much better solution for this issue than the rules
we described yesterday.
kind regards,
risto


2013/10/8 Pedro Serotto <pedro.sero...@yahoo.es>

> Hi Risto,
> many thanks for your response.
> The reason for this request dependends on the management of a sensor that 
> turns
> on and off.
>
> I find that on the last version (2.7.4) there is "*if %<var>"* action, so
> I develop a conf on this. Here it is:
>
> type=Single
> ptype=RegExp
> pattern=DOWN
> desc=$0
> action=delete MY_CONTEXT
>
> type=Single
> ptype=RegExp
> pattern=UP
> desc=$0
> action= add MY_CONTEXT $0; \
>         report MY_CONTEXT; \
>         getsize %M MY_CONTEXT; \
>         eval %N (%M == 3)
>
> type=Single
> ptype=RegExp
> pattern=STAT
> context=MY_CONTEXT
> desc=$0
> action= if %N (write - MY_CONTEXT 3 EVENTS)
>
>
> What do you tink about ? I hope this could be useful for someone else.
>
>
> BR.
>
>
> Pedro
>
>   ------------------------------
>  *De:* Risto Vaarandi <risto.vaara...@gmail.com>
> *Para:* Pedro Serotto <pedro.sero...@yahoo.es>
> *CC:* "simple-evcorr-users@lists.sourceforge.net" <
> simple-evcorr-users@lists.sourceforge.net>
> *Enviado:* Lunes 7 de octubre de 2013 22:59
> *Asunto:* Re: [Simple-evcorr-users] Realy Realy newbie question
>
> hi Pedro,
> you have asked a good question since all builtin counters of sec counting
> rules get incremented on matching events. For implementing custom counters
> that can both increase and decrease when different events are observed, it
> is probably best to use perl code snippets in sec rules. Also, quite often
> event counting makes sense within a certain time window (e.g. 60 seconds, 1
> day, etc). The two rules below use a perl array for memorizing the
> occurrence times of events, so that the counting and thresholding is done
> for events of the last 60 seconds:
>
> type=single
> ptype=substr
> pattern=event1
> context= -> ( sub { my($t) = time(); push @times, $t; \
>                     while ($times[0] < $t - 60) { shift @times; } \
>                     return scalar(@times) >= 3; } )
> desc=three or more instances of event1 observed
> action=write - %s
>
> type=single
> ptype=substr
> pattern=event2
> desc=event2 observed
> action=lcall %o -> ( sub { shift @times; } )
>
> Note that since the counting happens within a window of 60 seconds,
> occurrence times of old events need to be dropped when becoming stale (this
> is done with the context expression of the first rule).
>
> However, the above ruleset is producing repeated alerts after the
> threshold of 3 has been crossed. In order to avoid this, the rules could be
> elaborated further, creating the context ALERTED that suppresses repeated
> alerts for 2 minutes:
>
> type=single
> ptype=substr
> pattern=event1
> context=!ALERTED && -> ( sub { my($t) = time(); push @times, $t; \
>                          while ($times[0] < $t - 60) { shift @times; } \
>                          return scalar(@times) == 3; } )
> desc=three instances of event1 observed
> action=write - %s; create ALERTED 120; lcall %o -> ( sub { @times = (); } )
>
> type=single
> ptype=substr
> pattern=event2
> context=!ALERTED
> desc=event2 observed
> action=lcall %o -> ( sub { shift @times; } )
>
> Hopefully these examples are helpful.
>
> kind regards,
> risto
>
>
> 2013/10/7 Pedro Serotto <pedro.sero...@yahoo.es>
>
> Hi all,
> I think it's easy (i hope) but I don't understand how can I do it.
>
> How I can configure sec to do this kind of job:
>
> #!/usr/bin/perl
>
> my $counter=0;
> while (<>) {
> chomp;
> if ($_ eq "foo"){$counter=$counter+1;}
> if ($_ eq "bar"){$counter=$counter-1;}
> if ($counter >= 3) {print "send e-mail \n";}
> }
>
> Tnx a lot
>
> Pedro
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
>
>
>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users