2014-07-24 19:13 GMT+03:00 Yuheng Du <[email protected]>:
> Hi guys,
>
> I want to do a correlation between event so If I heard/not heard a message
> coming from the same machine within 10s, I need to got notified.
>
>From your previous mails, I got an impression that you just want to match
two consecutive events. Do you actually want to have a rule for detecting
if a machine fails to send a keepalive message after 10 seconds from
previous message? Do you want to get the notification when the keepalive is
missing, or also for *every* successfully received keepalive?
BR,
risto
> I am using an EventGroup rule to do this:
>
> type=EventGroup
> ptype=RegExp
> thresh=2
> window=10
> pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
> desc=CHECK_INTERVAL_$2
> action=assign %deploymentId $2;\
> create deploymentId_$2;\
> create DEPLOYMENTID_CONTEXT;\
> write - $2 heart beats heard within 10s.
> slide=reset 0 %s;
> end=write - $2 not heard for 10s since last receive event.;\
> create $2_HEARTBEAT_TIMEOUT;\
> event $2 not heard for 10s.
>
> However, the pattern can only identify messages coming form ANY
> deploymentId, while I want it to identify any messages coming from a
> SPECIFIC deploymentId.
> like in:
>
> "deploymentId" => deployment#srb_2",
> "deploymentId" => deployment#srb_4",
> "deploymentId" => deployment#srb_2",
>
> I only want to correlate messages coming from srb_2 alone or srb_4 alone.
>
> Anyone have a suggestion how I can do it with eventgroup rule?
>
> Or I should just switch to single/singlewiththreshold method as John
> suggested in list
> http://sourceforge.net/p/simple-evcorr/mailman/message/32640664/ ?
>
> Thanks!
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
