On 11/08/2013 02:43 AM, Ganji, Shashirekha Yadav wrote: > Risto, > > Had a related question to swatch. > > What is the replacement for $& and $* of swatch in SEC
I am not a regular user of swatch and have never used those variables myself. From the examples in the internet it seems that both $* and $0 hold the entire matching input line. Similarly, SEC supports the $0 variable which holds the whole matching line. I am not fully sure what $& does, but in the case of Perl it corresponds to the entire string that the regular expression matched. (Obviously, it is *not* the same as the entire matching line.) There is no specific variable in SEC for this purpose, but you can easily set $1 accordingly by just enclosing your original expression inside parens: (your_regexp). Since the first opening parenthesis defines the content of $1, everything that your_regexp matches will be assigned to $1. BR, risto > > Thanks, > shashi > > -----Original Message----- > From: Risto Vaarandi [mailto:[email protected]] > Sent: Thursday, November 07, 2013 6:08 AM > To: GrillMaster > Cc: Simple-evcorr-users > Subject: Re: [Simple-evcorr-users] Monitoring a log for a string and > executing a command > > On 11/07/2013 03:15 PM, GrillMaster wrote: >> Hey Risto, >> Thank you for your reply. Everything worked as intended and you did a >> thorough job of explaining it. >> >> I have one more question. Is there an "or" function for patterns? I >> tried "||", but it didn't seem to work correctly. > > hi, > > if you are using regular expression patterns (ptype=RegExp), just one pattern > can be specified at a time. However, sec also supports the PerlFunc pattern > which allows to define any perl function for matching, and you can easily > define logical OR in the function body. > > Lets assume for the sake of example that you would like to match either the > line > > interface 10.1.1.1 down on server myserv > > or the line > > host myserv2: linkdown trap for interface 10.2.2.1 > > and in both cases you are interested in extracting both the host name and the > interface IP. Since the lines are fairly different, they are hard to match > with one regexp. Furthermore, the host name and interface IP appear in > different order, which makes it hard to achieve the same numbering for the > match variables. > > The PerlFunc pattern helps to address these issues: > > type=Single > ptype=PerlFunc > pattern=sub { \ > if ($_[0] =~ /interface ([\d.]+) down on server (\w+)/) \ > { return ($2, $1); } \ > if ($_[0] =~ /host (\w+): linkdown trap for interface ([\d.]+)/) \ > { return ($1, $2); } \ > return 0; } > desc=host $1 interface $2 down > action=write - %s > > In the above rule, the value for the 'pattern' keyword is no longer a regexp > but an anonymous Perl function definition given with the sub { ... } > statement. The function gets the input line as its first parameter which can > be referenced with the perl $_[0] variable. > > Inside the function, first the regular expression > > interface ([\d.]+) down on server (\w+) > > is tried and in the case of a match, the list (hostname, interfaceIP) is > returned. Note that this expression sets $2 to hostname and $1 to interface > IP, therefore we have to call 'return ($2, $1)' > > If the first expression does not match, the second regular expression is > tried. In the case of the match we again return (hostname, interfaceIP) > tuple, but this time with 'return ($1, $2)', since now hostname maps to > $1 and interface to $2. > If neither of the expression matches, we call 'return 0' to indicate there > was no match. > > After the function has been executed, sec checks the function return > value(s), and maps the value(s) to match variables $1, $2, ..., in the order > the values were returned from the function. Therefore, hostname maps to $1 > outside the function, and interface IP maps to $2. > > PerlFunc patterns can be used for much more complex matching tasks, and for > longer functions it is often better to factor the function body into a > separate Perl module which is loaded at sec startup. An example of this > scenario is provided in the official docs: > http://simple-evcorr.sourceforge.net/man.html#lbBA > > hope this helps, > risto > > >> >> Best Regards, >> grillmaster >> >> >> >> -----Original Message----- >> From: Risto Vaarandi [mailto:[email protected]] >> Sent: Thursday, November 07, 2013 4:18 AM >> To: [email protected] >> Subject: Re: [Simple-evcorr-users] Monitoring a log for a string and >> executing a command >> >> hi, >> you have asked a very interesting question. >> >> Swatch supports three different event counting modes which can be set >> with the 'type' parameter: >> >> limit -- react to the first N events with an action and ignore the >> following ones (e.g., if N is 3, react to 1st, 2nd and 3rd event) >> >> threshold -- react to each Nth event with an action (e.g., if N is 3, >> react to 3rd, 6th, 9th, ... event) >> >> both -- react to Nth event with an action (e.g., if N is 3, react to >> the 3rd event only) >> >> The value of N is set with the Swatch 'count' parameter, while the >> size of the counting window is set with the 'seconds' parameter. >> >> >> The 'both' counting mode is easiest to implement with SEC, since it >> naturally maps to the SingleWithThreshold rule. For example, if we >> would like to count the event 'lets try' with a threshold of 3 in the >> window of 60 seconds, the rule would look like this: >> >> type=SingleWithThreshold >> ptype=Regexp >> pattern=lets try >> desc=three 'lets try' events in 1m >> action=write - %s >> thresh=3 >> window=60 >> >> In order to mimic the 'threshold' counting mode, you need to tell sec >> to reset the counting operation after reaching the threshold. For >> achieving this, change the 'action' parameter of the previous rule to the >> following: >> >> action=write - %s; reset 0 >> >> In your example, you are doing the counting in the 'limit' mode, which >> requires the execution of an action at first N instances of a given >> event. Since SingleWithThreshold rule does not support this >> functionality, we can take advantage of the EventGroup rule which is a >> generalization of SingleWithThreshold. The example below is a sec >> implementation of your first swatch rule: >> >> type=EventGroup >> ptype=RegExp >> pattern=test >> context=!SUPPRESS >> count=shellcmd screen -S s1 -p 0 -X stuff "Different text injected >> into the same screen session"`echo -ne '\015'` desc=Counting test >> events action=create SUPPRESS >> thresh=1 >> window=60 >> end=delete SUPPRESS >> >> Note that in order to suppress events which follow the first N >> instances, we are using the SUPPRESS context which is created after >> Nth instance has been observed. >> >> Also, the swatch 'count' and 'seconds' parameter map to sec 'thresh' >> and 'window' parameters, respectively. >> >> Please also note one important aspect -- swatch allows to define the >> scope of the counting with the 'track_by' keyword (your example did >> not include this functionality, though). >> In sec, setting the scope can be done with the 'desc' parameter which >> works exactly like 'track_by'. Also, the current value of the 'desc' >> parameter can be retrieved from the %s special variable. >> >> I hope the above examples were able to shed some light into how you >> could convert swatch rules to sec. >> >> kind regards, >> risto >> >> On 11/07/2013 09:56 AM, GrillMaster wrote: >>> Hi, >>> >>> I'm a little confused on how I set up rules to monitor a log file for >>> various strings and execute a different command for each string. I >>> am basically trying to convert a swatch config into sec. Here is an >>> example of the swatch file: >>> >>> watchfor /test/ >>> >>> exec "screen -S s1 -p 0 -X stuff "Text injected into a >>> screen session"`echo -ne '\015'`" >>> >>> threshold type=limit,count=1,seconds=3 >>> >>> watchfor /test2/ >>> >>> exec "screen -S s1 -p 0 -X stuff "Different text injected >>> into the same screen session"`echo -ne '\015'`" >>> >>> threshold type=limit,count=1,seconds=3 >>> >>> watchfor /test3/ >>> >>> exec "screen -S s1 -p 0 -X stuff "Unique text injected into >>> the same screen session"`echo -ne '\015'`" >>> >>> threshold type=limit,count=1,seconds=3 >>> >>> -grillmaster >>> >>> >>> >>> >> ---------------------------------------------------------------------- >> ------ >> -- >>> November Webinars for C, C++, Fortran Developers Accelerate >>> application performance with scalable programming models. >> Explore >>> techniques for threading, error checking, porting, and tuning. Get >>> the >> most >>> from the latest Intel processors and coprocessors. See abstracts and >> register >>> >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.c >> lktrk >>> >>> >>> >>> _______________________________________________ >>> Simple-evcorr-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>> >> >> >> ---------------------------------------------------------------------- >> ------ >> -- >> November Webinars for C, C++, Fortran Developers Accelerate >> application performance with scalable programming models. Explore >> techniques for threading, error checking, porting, and tuning. Get the >> most from the latest Intel processors and coprocessors. See abstracts >> and register >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.c >> lktrk _______________________________________________ >> Simple-evcorr-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >> >> >> > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers Accelerate application > performance with scalable programming models. Explore techniques for > threading, error checking, porting, and tuning. Get the most from the latest > Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
