>from your previous mails, I got an impression that you just want to match
two consecutive events. Do you actually want to have a rule for >detecting
if a machine fails to send a keepalive message after 10 seconds from
previous message?
Yes. I want a rule for detecting if a machine fails to send a keepalive
message after 10s from previous message. The machine is identified by its
"deploymentId".
>Do you want to get the notification when the keepalive is missing, or also
for *every* successfully received keepalive?
I want to get notified only when keepalive is missing.
Thanks.
best,
Yuheng
On Fri, Jul 25, 2014 at 2:20 PM, Risto Vaarandi <[email protected]>
wrote:
> 2014-07-24 19:13 GMT+03:00 Yuheng Du <[email protected]>:
>
>> Hi guys,
>>
>> I want to do a correlation between event so If I heard/not heard a
>> message coming from the same machine within 10s, I need to got notified.
>>
>
> From your previous mails, I got an impression that you just want to match
> two consecutive events. Do you actually want to have a rule for detecting
> if a machine fails to send a keepalive message after 10 seconds from
> previous message? Do you want to get the notification when the keepalive is
> missing, or also for *every* successfully received keepalive?
> BR,
> risto
>
>
>> I am using an EventGroup rule to do this:
>>
>> type=EventGroup
>> ptype=RegExp
>> thresh=2
>> window=10
>> pattern=\"deploymentId\"\s+=>\s+(\S+)deployment#(\S+)\",
>> desc=CHECK_INTERVAL_$2
>> action=assign %deploymentId $2;\
>> create deploymentId_$2;\
>> create DEPLOYMENTID_CONTEXT;\
>> write - $2 heart beats heard within 10s.
>> slide=reset 0 %s;
>> end=write - $2 not heard for 10s since last receive event.;\
>> create $2_HEARTBEAT_TIMEOUT;\
>> event $2 not heard for 10s.
>>
>> However, the pattern can only identify messages coming form ANY
>> deploymentId, while I want it to identify any messages coming from a
>> SPECIFIC deploymentId.
>> like in:
>>
>> "deploymentId" => deployment#srb_2",
>> "deploymentId" => deployment#srb_4",
>> "deploymentId" => deployment#srb_2",
>>
>> I only want to correlate messages coming from srb_2 alone or srb_4 alone.
>>
>> Anyone have a suggestion how I can do it with eventgroup rule?
>>
>> Or I should just switch to single/singlewiththreshold method as John
>> suggested in list
>> http://sourceforge.net/p/simple-evcorr/mailman/message/32640664/ ?
>>
>> Thanks!
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
