i Rock and all,
Thanks for your reply!
But when I tried your action in my sec pair rule , I can get %time1 but
can't get %time2 ,
I got the error as follows:
E Evaluating code 'my $str = "Tue Nov 25 2014 13:48:01 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
%month_hash;@month_hash{@months} = (1 .. 12);return
"$year-$month_hash{$mon}-$date $time";' and setting variable '%time1'
Variable '%time1' set to '2014-11-25 13:48:01'
Evaluating code 'my $str = "Tue Nov 25 2014 13:48:04 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
;@month_hash{@months} = (1 .. 12);return "$year-$month_hash{$mon}-$date
$time";' and setting variable '%time2'
Error evaluating code 'my $str = "Tue Nov 25 2014 13:48:04 ";my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');my ($day,$mon,$date,$year,$time) = split(' ',lc($str));my
;@month_hash{@months} = (1 .. 12);return "$year-$month_hash{$mon}-$date
$time";': syntax error at (eval 12) line 1, at EOF
My sec pair rule:
type=Pair
ptype=RegExp
pattern=(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) CI-6500 Carrier Loss On The LAN
in (\S+) \(majorServiceAffecting\),ifIndex=(.+)
desc=TN-15600 Carrier Loss On The LAN in %7(%8)
action=eval %time1 ( my $str = "$1 $2 $3 $4 $5 ";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";)
ptype2=RegExp
pattern2=(\S+) (\S+) (\S+) (\S+) (\S+) (\S+) CA-6500 Transport Layer Failure
in (\S+) \(majorServiceAffecting\),ifIndex=(.+)
desc2= HC-15600 Transport Layer Failure in $7($8)
action2=eval %time2 ( my $str = "$1 $2 $3 $4 $5 ";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";)\
; write SEC_fifo %time1,%time2, CI-6500,
CA-6500,%7,$7,%8,$8,carrierLossOnTheLAN,Critical,%6,transportLayerFailure,Ma
jor
window=10
Anyone knows what's wrong with my rule ? how to fix ?
Thanks ,
Andrew
From: MILLS, ROCKY [mailto:[email protected]]
Sent: Saturday, November 22, 2014 4:26 AM
To: [email protected]
Subject: Re: [Simple-evcorr-users] how to get pattern variable $1 to action
?
Hi Andrew,
You can use 'eval' action to reformat the $1 timestamp. Same perl code
(except you need %% for month_hash):
eval %time ( my $str = "$1";\
my
@months=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','
dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %%month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time";\
)
Regards,
Rock
From: andrewarnier [mailto:[email protected]]
Sent: Friday, November 21, 2014 1:26 AM
To: [email protected]
Subject: [Simple-evcorr-users] how to get pattern variable $1 to action ?
Hi all,
I want to get the trap time ,but the trap time format is "Fri Nov 21 2014
15:04:32" ,how to change the format to "2014-11-21 15:04:32" in my single
rule ?
I try to convert the datetime format in my sec fule, but my rule action
can't get the variable $1,
Anyone knows what's wrong with my rule ? how to fix ?
type=Single
ptype=Regexp
pattern=(\S+) .1.3.6.1.4.1.3607.2.20.0.430 192.168.11.15 Loss Of Signal in
(\S+) \(criticalServiceAffecting\),ifIndex=(.+)
desc= CA -15600 Loss of signal events for interface $2($3)
action=lcall %time -> ( sub { my $str = '$1';\
my @months
=('jan','feb','mar','apr','may','jun','jul','aug','sep','oct','nov','dec');\
my ($day,$mon,$date,$year,$time) = split(' ',lc($str));\
my %month_hash;\
@month_hash{@months} = (1 .. 12);\
return "$year-$month_hash{$mon}-$date $time"; } );shellcmd
/home/andrew/code/sendmail.sh "Loss Of Signal" "CA-15600 Loss of signal
events for interface $2($3)" "%time"
cheers,
Andrew
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
