2014-12-16 20:19 GMT+02:00 Sebre <[email protected]>:
>
> Hello,
>
> I have to monitor two log files, each one have to match its own SEC
> rules. I'm trying to set up a "Pair" based rule : a regexp triggers an
> action and a substr reset the events lists. It's OK as far as I give a
> single file on the command line ; only one --input parameter.
>
> If I build a context, as described in the man, with --intcontexts and
> --input=my_log=MY_CONTEXT switches, and the context=MY_CONTEXT in the
> config file, along with others --input files, the first event is
> detected on the input file linked by its context : very good.
>
> But the pattern2 is triggered by ANY input file. SEC ignores the
> context. The pattern2 should be matched against the inputfile linked by
> the context, isn't it ?
>
...as John already mentioned in his post, you will need to set up the
'context2' field. The 'context' field will be evaluated together with
'pattern' only, and it will not restrict matches by 'pattern2' field.
>
> My config only describes the ruleset for the first file (if OK the
> reuleset for the second file should be similar) :
>
> ---- sec.rules -----------------------
> type=Pair
> context=[CFT]
> ptype=regexp
> pattern=(?i)(ERROR|WARNING)
> desc=Alamm $1 on $+{_inputsrc}
> action=logonly
> ptype2=substr
> pattern2=receiving file list ... done
> desc2=Alarm end on $+{_inputsrc}
> action2=logonly
> window=60
> ---- sec.rules -----------------------
>
> Command line :
> ./sec --intcontexts --conf=config/sec.rules \
> --input=log/RECEPTION.log=CFT \
> --input=log/OUTPUT.log=OTHER
>
> Perl v5.8.8 built for aix-thread-multi
>
> Interesting fact : $+{_inputsrc} displays "log/RECEPTION.log" even if
> pattern2 is matched against "log/OUTPUT.log".
>
You are seeing this because ptype2 is set to 'substr' -- which means fast
substring search without any regular expression matching. However, for the
reasons of efficiency, SubStr patterns do not set match any variables, and
thus $+{_inputsrc} is will keep holding the value from the previous pattern
match (produced by 'pattern'). If you would change 'ptype2' field from
substr to regexp, $+{_inputsrc} would refer to "log/OUTPUT.log", since this
time 'pattern2' is a regular expression which sets $+{_inputsrc}. A side
note -- if you set ptype2=regexp and have a regular expression for
pattern2, but want to refer to past match variables previously set by
'pattern', you have to use the % prefix instead of $ in the 'desc2' field.
For example, the following fields
ptype2=regexp
pattern2=receiving file list \.\.\. done
desc2=Alarm end on $+{_inputsrc}
action2=logonly
would log "Alarm end on log/OUTPUT.log".
On the other hand, both
ptype2=regexp
pattern2=receiving file list \.\.\. done
desc2=Alarm end on %+{_inputsrc}
action2=logonly
and
ptype2=substr
pattern2=receiving file list ... done
desc2=Alarm end on $+{_inputsrc}
action2=logonly
would log "Alarm end on log/RECEPTION.log". In short, in Pair* rules
$-prefix always refers to the most recent set of match variables, while
with %-prefix you can refer to previous set of match variables. Also, the
existence of $-prefixed and %-prefixed match variables depends on pattern
type(s) -- for example, if ptype=substr and ptype2=substr, neither $ nor %
match variables exist, since substr-patterns never set any match variables.
hope this helps,
risto
>
> Could you please help me, should context act like I hope it does, am I
> wrong in my set up, ... ?
>
> Thank you very much !
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
> _______________________________________________
> Simple-evcorr-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
