---------- Forwarded message ---------- From: Yuheng Du <[email protected]> Date: Tue, Aug 19, 2014 at 9:45 AM Subject: Re: [Simple-evcorr-users] Single with Script variable return To: Risto Vaarandi <[email protected]>
Hi Risto Your message is helpful. I am using Json format messages from logstash as input of SEC. One of the fields in these messages is an array of float point numbers called 'readings':[0.0, 1.2, -3.4, ...]. The length of the array varies from 1 to 24 depending on the incoming messages. I have stored all the logstash messages in an Elasticsearch database. Now whenever a new message comes in to SEC, I am using a Perl script to do a query from the database to fetch the average and standard deviation over 1 hour of each elements in the 'readings' array. Based on the average and standard deviation returned from the script, I want to create an event telling me which element in my incoming 'readings' array has gone abnormal. So I need to interact with my Perl script to get the returned 'average' and 'standard deviation' float values. I know that I can pass variable values to perl script in SingleWithScript rule, but I don't know how to get returned values. >From your previous reply, I figured that if I use 'spawn' action, I can print the 'average' and 'std_deviation' values to the std out and then capture them in another rule, is that correct? Thanks so much. Yuheng On Tue, Aug 19, 2014 at 9:27 AM, Risto Vaarandi <[email protected]> wrote: > Do I understand correctly that you would like to check certain fields of > json events received from sec inputs? If so, I'd recommend to take > advantage of the PerlFunc pattern for parsing these events. Almost two > years ago, there was a discussion in the mailing list which concerned json > events specifically, and I submitted sample rules for parsing json: > http://sourceforge.net/p/simple-evcorr/mailman/message/30058671/ > > In the parsing rules, JSON::decode_json() function is invoked which stores > its results into a perl hash. It is straighforward to check specific > keyword-value pairs inside this hash, and include these check within the > same PerlFunc pattern. Also, if you don't care about flattening json > structure and setting SEC match variables, you can omit the flatten() > function from this example altogether, which will make this ruleset really > short. > > Hope this helps, > risto > > > From: Yuheng Du [mailto:[email protected]] > Sent: Tuesday, August 19, 2014 3:41 PM > To: Risto Vaarandi > Cc: [email protected] > Subject: Re: [Simple-evcorr-users] Single with Script variable return > > Hi Risto, > > The array is intialized and created as the input of SEC. It is of the Json > format. > > Thanks. > > Yuheng > > On Tue, Aug 19, 2014 at 4:29 AM, Risto Vaarandi <[email protected]> > wrote: > 2014-08-18 22:37 GMT+03:00 Yuheng Du <[email protected]>: > Hi Guys, > > Is there any method to the return value of a script in SingleWithScript > rule? > > I have 8 readings in an array and I want to return which (one or many) > specific items in that array is exceptional using a perl script. Then based > on the return value of the script, I want to decide my actions. > > So I need to return an integer to my rule in order to decide the action. > > Can I use SingleWithScript rule to do this? Or is there any other methods? > > Where exactly is this array created and how it is initialized? Since there > is no straightforward way to fetch a child process exit code from rules, it > might be simpler to have a PerlFunc pattern for executing the perl code and > setting the array. However, if the perl code involves time-consuming > external queries, I'd not recommend PerlFunc pattern, since it is not > executed asynchronously. In that case, you could try the 'spawn' action for > executing the perl script, and communicate with SEC by generating synthetic > events from perl script. > If you prefer to use SingleWithScript, you can also use the following > strategy -- write the exit code value into a file, and have 'if () else ()' > statements in your action list for executing different actions based on the > content of the file. > hope this helps, > risto > > > Thanks. > > best, > > Yuheng > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
