Hi ristro,
type=PairWithWindow ptype=RegExp pattern=CI-15600 Carrier Loss On The LAN in FAC-(.+)-(.+) \(majorServiceAffecting\),ifIndex=(.+) desc=Carrier Loss On The LAN in FAC-$1-$2 action=write - Carrier Loss On The LAN in FAC-$1-$2 ,ifIndex=$3 ptype2=RegExp pattern2=CN-15600 Transport Layer Failure in FAC-(.+)-(.+) \(majorServiceAffecting\),ifIndex=(.+) desc2= Transport Layer Failure in FAC-$4-$5 \(majorServiceAffecting\),ifIndex=$6 action2=pipe '%t,CI-15600 <> CN-15600,TCP-15454 Carrier Loss On The LAN FAC-%1-%2 ifIndex=%3 and CN-15600 Transport Layer Failure FAC-%4-%5' /bin/mail -s "Carrier Loss On The LAN" [email protected] window=5 # perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=- 2013-11-03 20:40:55 .1.3.6.1.4.1.3607.6.10.30.0.220 Critical "ONS" CI-15600 - CI-15600 Carrier Loss On The LAN in FAC-1-2 (majorServiceAffecting),ifIndex=12290 2013-11-10 20:05:54 .1.3.6.1.4.1.3607.6.10.30.0.3540 Major "ONS" CN-15600 - CN-15600 Transport Layer Failure in FAC-3-4 (majorServiceAffecting),ifIndex=12293 I have match variables in the PairWithWindow rule ,but I can't get %4 and %5 values 'Tue Mar 11 16:28:18 2014, CI-15600 <> CN-15600, CI-15600 Carrier Loss On The LAN FAC-1-2 ifIndex=12290 and CN-15600 Transport Layer Failure FAC-%4-%5 Give me some advice pls Andrew -----Original Message----- From: Risto Vaarandi [mailto:[email protected]] Sent: Monday, March 10, 2014 7:21 PM To: [email protected] Subject: Re: [Simple-evcorr-users] pipe format On 03/10/2014 10:25 AM, andrewarnier wrote: > Hi all, > > I have set a rule as follow, > > type=PairWithWindow > > ptype1=RegExp > > pattern1=CI-16800 Carrier Loss On The LAN in FAC-(.+)-(.+) > \(majorServiceAffecting\),ifIndex=(.+) > > desc=Carrier Loss On The LAN in FAC-$1-$2 > > action=write - Carrier Loss On The LAN in FAC-$1-$2 > > ptype2=RegExp > > pattern2=CN-15600 Transport Layer Failure in FAC-(.+)-(.+) > \(majorServiceAffecting\),ifIndex=(.+) > > desc2= $1-$2 Transport Layer Failure in FAC-$3-$4 > \(majorServiceAffecting\),ifIndex=$5 > > action2=pipe '%t,CI-16800 <> CN-15600, CI-16800 Carrier Loss On The > LAN > FAC-$1-$2 and CN-15600 Transport Layer Failure FAC-$3-$4' /bin/mail -s > "Carrier Loss On The LAN" [email protected] > > window=5 > > then > > $ perl /usr/local/sbin/sec.pl -conf=snmptt_test_sec.cfg -input=- > > Sun Nov 3 20:40:55 2013 .1.3.6.1.4.1.3607.6.10.30.0.220 Critical "ONS" > CI-16800 - CI-16800 Carrier Loss On The LAN in FAC-1-2 > (majorServiceAffecting),ifIndex=12290 > > Sun Nov 10 20:05:54 2013 .1.3.6.1.4.1.3607.6.10.30.0.3540 Major "ONS" > CN-15600 - CN-15600 Transport Layer Failure in FAC-3-4 > (majorServiceAffecting),ifIndex=12293 > > when match the rule ,it will pipe the message as follow to my mailbox : > > Mon Mar 10 15:46:05 2014, CI-16800 <> CN-15600, CI-16800 Carrier Loss > On The LAN FAC-3-4 and CN-15600 Transport Layer Failure FAC-12293-$4 > > Now my problem is how to transform %t format to %Y-%m-%d %H:%M:%S and > get patter1 and patter2 variables > > So I want to get the message as follow : > > 2014-03-10 15:46:05 , CI-16800<> CN-15600, CI-16800 Carrier Loss On > The LAN FAC-1-2 ifIndex=12290 and CN-15600 Transport Layer Failure in > FAC-3-4 ifIndex=12293 > > Can anyone give me some advice on what to do please? In order to use timestamps in custom format, I would recommend to use a sec action which invokes Perl code, for example action=lcall %time -> ( sub { my(@time) = localtime(); \ my($timestamp) = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", \ $time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0]); \ return $timestamp; } ) As for the problems you have with match variables in the PairWithWindow rule, read the relevant example in the official documentation -- apart from standard $1, $2, ... variables you also need to use %1, %2, ... variables: http://simple-evcorr.sourceforge.net/man.html#lbAP (Note that this part of the docs was updated a lot in mid-January, so its worthwhile to take another look.) Also, recently there was a relevant discussion in the mailing list: http://sourceforge.net/p/simple-evcorr/mailman/message/31907966/ hth, risto > > Andrew > > > > ---------------------------------------------------------------------- > -------- Learn Graph Databases - Download FREE O'Reilly Book "Graph > Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, this > first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > > > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ---------------------------------------------------------------------------- -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
