hi Andrew, what is the counting scope of the rule? From your rule definition it appears that an e-mail is issued if sec observes 2 events for the same device and VLAN (held by $4 and $8 variables, respectively). Please be advised that if you have 2 events for the same device and VLAN, but some other event fields (such as $6 and $7) are different, these events are counted by the same operation, which will trigger an e-mail warning. If you want to these fields be the same across all events which are counted together, you need to include them in the 'desc' field. Also, I'd recommend to post some sample events which are incorrectly counted in your opinion. Having a look at them would help others to provide suggestions how to fix your rule. kind regards, risto
2014-02-05 andrewarnier <[email protected]>: > > > Hi , > > I have set a rule as follows, > > > > type=SingleWithThreshold > > ptype=regexp > > pattern=(.+) (.+) (.+) (.+) (.+) A Spanning Tree Topology Change at > (.+)/(.+) on VLAN (\d+) > > desc=A Spanning Tree Topology Change flapping flapping event for device $4 > on VLAN $8 in 5 seconds > > action = pipe ' $1 A Spanning Tree Topology Change flapping flapping event > for device $4 at $6/$7 on VLAN $8 in 5 seconds at %t' /bin/mail -s "A > Spanning Tree Topology Change flapping flapping event" > [email protected] > > thresh=2 > > window=5 > > > > but when an event occur it's will send two A Spanning Tree Topology Change > flapping flapping event mail , why ? > > how to set when an event occur only will send a mail ? > > > > Can anyone give me some advice on what to do please? > > > > andrew > > > > > > > ------------------------------------------------------------------------------ > Managing the Performance of Cloud-Based Applications > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. > Read the Whitepaper. > http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
