On 10/08/2013 05:58 PM, Pedro Serotto wrote: > This solve my problem: > > type=Single > ptype=RegExp > pattern=DOWN > continue=TakeNext > desc=$0 > action= pop MY_CONTEXT %D; \ > getsize %M MY_CONTEXT; \ > eval %N (%M >= 3); > > type=Single > ptype=RegExp > pattern=UP > continue=TakeNext > desc=$0 > action= add MY_CONTEXT $0; \ > getsize %M MY_CONTEXT; \ > eval %N (%M >= 3); > > type=Single > ptype=RegExp > pattern=UP|DOWN > context=MY_CONTEXT > desc=$0 > action= if %N (write - Alarm ACTIVATED) \ > else (write - Alarm DEACTIVATED) >
If you are interested in increasing and decreasing the counter without having a time window involved, the idea of using 'add', 'pop' and 'getsize' is a nice way for addressing this problem. I would invoke getsize %M MY_CONTEXT; eval %N (%M >= 3); in the third rule, though, and leave it out from other rules, since if you would need to adjust the threshold, it can be done in one place only. Also, 'eval' will compile the code before each execution which might become costly under very heavy event load, and if you want to optimize the rules for performance, use 'lcall' instead. kind regards, risto > > > BR. > > > Pedro > ------------------------------------------------------------------------ > *De:* Pedro Serotto <[email protected]> > *Para:* Risto Vaarandi <[email protected]> > *CC:* "[email protected]" > <[email protected]> > *Enviado:* Martes 8 de octubre de 2013 11:20 > *Asunto:* Re: [Simple-evcorr-users] Realy Realy newbie question > > Hi Risto, > many thanks for your response. > The reason for this request dependends on the management of a sensor > that turns on and off. > > I find that on the last version (2.7.4) there is "/if %<var>"/ action, > so I develop a conf on this. Here it is: > > type=Single > ptype=RegExp > pattern=DOWN > desc=$0 > action=delete MY_CONTEXT > > type=Single > ptype=RegExp > pattern=UP > desc=$0 > action= add MY_CONTEXT $0; \ > report MY_CONTEXT; \ > getsize %M MY_CONTEXT; \ > eval %N (%M == 3) > > type=Single > ptype=RegExp > pattern=STAT > context=MY_CONTEXT > desc=$0 > action= if %N (write - MY_CONTEXT 3 EVENTS) > > > What do you tink about ? I hope this could be useful for someone else. > > > BR. > > > Pedro > > ------------------------------------------------------------------------ > *De:* Risto Vaarandi <[email protected]> > *Para:* Pedro Serotto <[email protected]> > *CC:* "[email protected]" > <[email protected]> > *Enviado:* Lunes 7 de octubre de 2013 22:59 > *Asunto:* Re: [Simple-evcorr-users] Realy Realy newbie question > > hi Pedro, > you have asked a good question since all builtin counters of sec > counting rules get incremented on matching events. For implementing > custom counters that can both increase and decrease when different > events are observed, it is probably best to use perl code snippets in > sec rules. Also, quite often event counting makes sense within a certain > time window (e.g. 60 seconds, 1 day, etc). The two rules below use a > perl array for memorizing the occurrence times of events, so that the > counting and thresholding is done for events of the last 60 seconds: > > type=single > ptype=substr > pattern=event1 > context= -> ( sub { my($t) = time(); push @times, $t; \ > while ($times[0] < $t - 60) { shift @times; } \ > return scalar(@times) >= 3; } ) > desc=three or more instances of event1 observed > action=write - %s > > type=single > ptype=substr > pattern=event2 > desc=event2 observed > action=lcall %o -> ( sub { shift @times; } ) > > Note that since the counting happens within a window of 60 seconds, > occurrence times of old events need to be dropped when becoming stale > (this is done with the context expression of the first rule). > > However, the above ruleset is producing repeated alerts after the > threshold of 3 has been crossed. In order to avoid this, the rules could > be elaborated further, creating the context ALERTED that suppresses > repeated alerts for 2 minutes: > > type=single > ptype=substr > pattern=event1 > context=!ALERTED && -> ( sub { my($t) = time(); push @times, $t; \ > while ($times[0] < $t - 60) { shift @times; } \ > return scalar(@times) == 3; } ) > desc=three instances of event1 observed > action=write - %s; create ALERTED 120; lcall %o -> ( sub { @times = (); } ) > > type=single > ptype=substr > pattern=event2 > context=!ALERTED > desc=event2 observed > action=lcall %o -> ( sub { shift @times; } ) > > Hopefully these examples are helpful. > > kind regards, > risto > > > 2013/10/7 Pedro Serotto <[email protected] > <mailto:[email protected]>> > > Hi all, > I think it's easy (i hope) but I don't understand how can I do it. > > How I can configure sec to do this kind of job: > > #!/usr/bin/perl > > my $counter=0; > while (<>) { > chomp; > if ($_ eq "foo"){$counter=$counter+1;} > if ($_ eq "bar"){$counter=$counter-1;} > if ($counter >= 3) {print "send e-mail \n";} > } > > Tnx a lot > > Pedro > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the > most from > the latest Intel processors and coprocessors. See abstracts and > register > > > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
