Re: [Simple-evcorr-users] mutliline pattern

Fri, 25 Jul 2014 10:46:21 -0700 

2014-07-25 19:15 GMT+03:00 Yuheng Du <[email protected]>:

> Hi guys,
>
> I am wondering if SEC pattern can match multilines?
>

yes, it can -- as for the example below, you would probably need the
RegExp3 pattern (3 after the RegExp keyword specifies that the regular
expression should match three input lines).
Since I don't want to re-type parts of the official documentation, have a
look into the relevant section in the docs:
http://simple-evcorr.sourceforge.net/man.html#lbAG
Also, if you want to accomplish multiline matching properly, it is highly
recommended to use the --nojointbuf command line option (unless you have
just one input source and no synthetic events).
kind regards,
risto


> I want it to match something like the following in one rule:
>
> deploymentId => "deployment#srb_1",
> deviceId => "0",
> observationDateTime => "07-25-2014 13:32:55 UTC"
>
> I am using :
> type=Single
> ptype=RegExp
>
> pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",\s*\"deviceId\"\s+=>\s+\"\d+\",\s*\"observationDateTime\"\s+=>\s+\"(.*)\"
> desc=Filter for $2
> continue=TakeNext
> action=create deploymentId_$2;\
> assign %deploymentId $2;\
> write - time $3;
>
> But it seems to not work, can anyone help?
>
> Thanks.
>
> Yuheng
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to