From: [email protected] [mailto:[email protected]] On Behalf Of Yuheng Du Sent: Tuesday, August 19, 2014 4:46 PM To: Risto Vaarandi Subject: Re: [Simple-evcorr-users] Single with Script variable return
Hi Risto Your message is helpful. I am using Json format messages from logstash as input of SEC. One of the fields in these messages is an array of float point numbers called 'readings':[0.0, 1.2, -3.4, ...]. The length of the array varies from 1 to 24 depending on the incoming messages. I have stored all the logstash messages in an Elasticsearch database. Now whenever a new message comes in to SEC, I am using a Perl script to do a query from the database to fetch the average and standard deviation over 1 hour of each elements in the 'readings' array. Based on the average and standard deviation returned from the script, I want to create an event telling me which element in my incoming 'readings' array has gone abnormal. So I need to interact with my Perl script to get the returned 'average' and 'standard deviation' float values. I know that I can pass variable values to perl script in SingleWithScript rule, but I don't know how to get returned values. From your previous reply, I figured that if I use 'spawn' action, I can print the 'average' and 'std_deviation' values to the std out and then capture them in another rule, is that correct? --- exactly, once you have started a script with the spawn action, anything that the script writes to standard output becomes a synthetic event inside SEC, and can be matched by rules. Also, the most recent version of SEC (2.7.6) allows for setting a custom internal context for these events, which might be helpful for making rule matching more efficient. HTH, risto Thanks so much. Yuheng On Tue, Aug 19, 2014 at 9:27 AM, Risto Vaarandi <[email protected]> wrote: Do I understand correctly that you would like to check certain fields of json events received from sec inputs? If so, I'd recommend to take advantage of the PerlFunc pattern for parsing these events. Almost two years ago, there was a discussion in the mailing list which concerned json events specifically, and I submitted sample rules for parsing json: http://sourceforge.net/p/simple-evcorr/mailman/message/30058671/ In the parsing rules, JSON::decode_json() function is invoked which stores its results into a perl hash. It is straighforward to check specific keyword-value pairs inside this hash, and include these check within the same PerlFunc pattern. Also, if you don't care about flattening json structure and setting SEC match variables, you can omit the flatten() function from this example altogether, which will make this ruleset really short. Hope this helps, risto From: Yuheng Du [mailto:[email protected]] Sent: Tuesday, August 19, 2014 3:41 PM To: Risto Vaarandi Cc: [email protected] Subject: Re: [Simple-evcorr-users] Single with Script variable return Hi Risto, The array is intialized and created as the input of SEC. It is of the Json format. Thanks. Yuheng On Tue, Aug 19, 2014 at 4:29 AM, Risto Vaarandi <[email protected]> wrote: 2014-08-18 22:37 GMT+03:00 Yuheng Du <[email protected]>: Hi Guys, Is there any method to the return value of a script in SingleWithScript rule? I have 8 readings in an array and I want to return which (one or many) specific items in that array is exceptional using a perl script. Then based on the return value of the script, I want to decide my actions. So I need to return an integer to my rule in order to decide the action. Can I use SingleWithScript rule to do this? Or is there any other methods? Where exactly is this array created and how it is initialized? Since there is no straightforward way to fetch a child process exit code from rules, it might be simpler to have a PerlFunc pattern for executing the perl code and setting the array. However, if the perl code involves time-consuming external queries, I'd not recommend PerlFunc pattern, since it is not executed asynchronously. In that case, you could try the 'spawn' action for executing the perl script, and communicate with SEC by generating synthetic events from perl script. If you prefer to use SingleWithScript, you can also use the following strategy -- write the exit code value into a file, and have 'if () else ()' statements in your action list for executing different actions based on the content of the file. hope this helps, risto Thanks. best, Yuheng ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
