hi,
the problem you have can indeed be addressed with the PairWithWindow rule.
In order to propose a solution, we have to know how to associate the first
event with the second. I assume the association can be made based on
unique_id field which seems to appear in both events. The rule itself might
look like this:
type=PairWithWindow
ptype=RegExp
pattern=DEBUG quantum\.openstack\.common\.rpc\.amqp \[-\] UNIQUE_ID is
([0-9A-Fa-f]+)
desc=wait for tenant ID of event $1
action=write - $0 NO TENANT_ID
ptype2=RegExp
pattern2=DEBUG quantum\.openstack\.common\.rpc\.amqp \[-\] .*
u'_context_tenant_id': u'([0-9A-Fa-f]+)'.* u'_unique_id': u'$1'
desc2=received tenant ID of event %1
action2=write - %0 TENANT_ID is $1; write - $0
window=1
There are two regular expressions in the rule which match the first and the
second event, respectively. The second regular expression contains a
fragment
u'_unique_id': u'$1'
which essentially means that during runtime $1 is replaced with the
unique_id that has been extracted from the first field. In the case of two
example events you have provided, the expression would be:
u'_unique_id': u'dd5b48bdf49a4733a90a3bb828db9988'
Also note that $1 has to be used in the 'desc' field of the rule, in order
to ensure that a separate waiting operation is started for each unique_id
value.
If a matching second event has been seen within 1 second, the action list
from 'action2' field outputs both lines:
write - %0 TENANT_ID is $1; write - $0
Since at this point we have evaluated two regular expressions successfully,
we have two sets of match variables. The ones which begin with $ sign refer
to the most recent (second) match, while the ones that begin with % sign
refer to the first match. Therefore, the variable %0 corresponds to the
first matching line, while $0 corresponds to the second matching line.
If we don't see a matching second line within 1 second, the 'action' field
of the rule outputs just the first line with a note that no tenant ID was
observed. Note that this time $0 refers again to the line from the most
recent match, and since we have just one matching regular expression now,
$0 holds the first line that didn't have a followup.
hope this helps,
risto
2013/11/8 Orangepeel Beef <[email protected]>
> Hi guys, i have a question for you. Trying to use SEC Pair event type to
> append additional information to a log. Here's the details...
>
> first log event
>
> 2013-11-07 00:35:56.148 34965 DEBUG quantum.openstack.common.rpc.amqp [-]
> UNIQUE_ID is dd5b48bdf49a4733a90a3bb828db9988. _add_unique_id
> /usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/amqp.py:338
>
>
>
> second log event 3ms later
>
> 2013-11-07 00:35:56.151 2778 DEBUG quantum.openstack.common.rpc.amqp [-]
> received {u'_context_roles': [u'net-admin', u'admin'],
> u'_context_read_deleted': u'no', u'_context_tenant_id': u'10570016183961',
> u'args': {u'routers': [u'b202f601-2017-4bdd-bd81-eb0281f149ce']},
> u'namespace': None, u'_unique_id': u'dd5b48bdf49a4733a90a3bb828db9988',
> u'_context_is_admin': False, u'version': u'1.1', u'_context_project_id':
> u'10570016183961', u'_context_timestamp': u'2013-11-07 00:35:56.118937',
> u'_context_user_id': u'10881749904307', u'method': u'routers_updated'}
> _safe_log
> /usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/common.py:273
>
>
> the first log event has no concept of the tenant_id, and i'd like to
> append the tenant id to the first log line before writing it out to the
> file.
>
>
> Sadly though I'm not sure how to accomplish this. Maybe Pair is not the
> proper method, I haven't been able to figure out how to access the first
> message info when the 2nd condition is met.
>
>
> What i'd like to have written to the file is:
>
>
> 2013-11-07 00:35:56.148 34965 DEBUG quantum.openstack.common.rpc.amqp [-]
> UNIQUE_ID is dd5b48bdf49a4733a90a3bb828db9988. _add_unique_id
> /usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/amqp.py:338
> TENANT_ID is 10570016183961.
>
>
>
>
> 2013-11-07 00:35:56.151 2778 DEBUG quantum.openstack.common.rpc.amqp [-]
> received {u'_context_roles': [u'net-admin', u'admin'],
> u'_context_read_deleted': u'no', u'_context_tenant_id': u'10570016183961',
> u'args': {u'routers': [u'b202f601-2017-4bdd-bd81-eb0281f149ce']},
> u'namespace': None, u'_unique_id': u'dd5b48bdf49a4733a90a3bb828db9988',
> u'_context_is_admin': False, u'version': u'1.1', u'_context_project_id':
> u'10570016183961', u'_context_timestamp': u'2013-11-07 00:35:56.118937',
> u'_context_user_id': u'10881749904307', u'method': u'routers_updated'}
> _safe_log
> /usr/lib/python2.7/dist-packages/quantum/openstack/common/rpc/common.py:273
>
>
>
> Clearly I can pair the events just fine, I'm just not sure how to access
> the message contents and regexes from the first log line, after the 2nd
> action is fired.
>
>
>
>
>
> ------------------------------------------------------------------------------
> November Webinars for C, C++, Fortran Developers
> Accelerate application performance with scalable programming models.
> Explore
> techniques for threading, error checking, porting, and tuning. Get the most
> from the latest Intel processors and coprocessors. See abstracts and
> register
> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
