You can address the problem by straightforward modification of the previous
ruleset -- just include $2 and $3 variables in context names:
type=Single
ptype=regexp
pattern=var1=(\S+) var2=(\S+) var3=(\S+)
context=!EVENT_WITH_VARS_OBSERVED_$2_$3
desc=var1 $1 has been observed
action=create EVENT_WITH_VARS_OBSERVED_$2_$3; \
alias EVENT_WITH_VARS_OBSERVED_$2_$3 VAR1_$1_OBSERVED_$2_$3; \
fill EVENT_WITH_VARS_OBSERVED_$2_$3 $1
type=Single
ptype=regexp
pattern=var1=(\S+) var2=(\S+) var3=(\S+)
context=EVENT_WITH_VARS_OBSERVED_$2_$3 && !VAR1_$1_OBSERVED_$2_$3
desc=var1 $1 has been observed
action=copy EVENT_WITH_VARS_OBSERVED_$2_$3 %previous; \
write - mytest: var1=$1 var1_previous=%previous var2=$2 var3=$3; \
delete EVENT_WITH_VARS_OBSERVED_$2_$3
Also, the first rule writes the initial value of var1 into the
EVENT_WITH_VARS_OBSERVED_$2_$3 context, and retrieves it in the second rule
after a different value for var1 has been observed. Both values are then
included in the string which gets written to standard output.
hope this helps,
risto
2015-04-14 15:00 GMT+03:00 Jonathan Snowe <[email protected]>:
> Actually, the problem is a bit more complex, I might have mis-explained
> it, let me try again.
>
> What I want to catch is events with the following behaviour:
> Source1: var1="var1_val1" var2="var2_val1" var3="var3_val1"
> Source2: var1="var1_val2" var2="var2_val1" var3="var3_val1"
>
> AKA, same values on var2 and var3 for both events, and a different value
> on var1.
> The thing I can't know is what will be the value of these fields at first.
>
> When the matching is done, I'd like to write somewhere a line with
> "var1_val1 var1_val2 var2_val1 var3_val1" for example.
>
> I don't know if it's clearer.
>
> Thank you for your anwser,
>
> Jon.
>
> 2015-04-14 11:16 GMT+02:00 Risto Vaarandi <[email protected]>:
>
>> Jonathan,
>> you can accomplish the task with the following two single rules:
>>
>> type=Single
>> ptype=regexp
>> pattern=var1=(\S+) var2=\S+ var3=\S+
>> context=!EVENT_WITH_VARS_OBSERVED
>> desc=var1 $1 has been observed
>> action=create EVENT_WITH_VARS_OBSERVED; \
>> alias EVENT_WITH_VARS_OBSERVED VAR1_$1_OBSERVED
>>
>> type=Single
>> ptype=regexp
>> pattern=var1=(\S+) var2=\S+ var3=\S+
>> context=!VAR1_$1_OBSERVED
>> desc=var1 $1 has been observed
>> action=write - an event with a different var1 value has been observed; \
>> delete EVENT_WITH_VARS_OBSERVED
>>
>> The first event with var1, var2 and var3 will create a context
>> EVENT_WITH_VARS_OBSERVED with an alias name which holds the value of var1.
>> After the context EVENT_WITH_VARS_OBSERVED has been created, further events
>> are passed to the second rule which checks for the presence of the alias
>> name. If the alias name for var1 value is missing, the second rule matches
>> and writes a message to standard output.
>>
>> Note that the order of the rules is important, and if you want to change
>> this, the 'context' field of the second rule should be written as
>> context=EVENT_WITH_VARS_OBSERVED && !VAR1_$1_OBSERVED
>>
>>
>> You can rewrite the above two rules into a one Pair rule, but I would
>> personally prefer to have two Single rules, since it's a bit clearer. Also,
>> event correlation logic is implemented with contexts, so the rule having
>> Pair instead of Single rules doesn't really matter here.
>>
>> kind regards,
>> risto
>>
>> 2015-04-14 11:05 GMT+03:00 Jonathan Snowe <[email protected]>:
>>
>>> Hello guys,
>>>
>>> I'd like some help on a little problem have to solve.
>>> Here's my situation:
>>> I have multiple sources, receiving similar events. SEC is configured to
>>> listen to these inputs.
>>>
>>> Events are of this type:
>>> var1="" var2="" var3=""
>>>
>>> What I want to do is, trigger an action if a first event appears with
>>> "whatever the value of these fields" (large regex), and a second event
>>> appears with "var1 different from the FIRST var1".
>>>
>>> I tried to configure a Pair rule, but the problem is that my two events
>>> trigger the large pattern1 regex and never trigger the pattern2.
>>>
>>> The objective is then to write somewhere vars from the event 1 and event
>>> 2.
>>>
>>> Thank you,
>>>
>>> --
>>> *Jon.*
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
>>> Develop your own process in accordance with the BPMN 2 standard
>>> Learn Process modeling best practices with Bonita BPM through live
>>> exercises
>>> http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual-
>>> event?utm_
>>> source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>>
>>
>
>
> --
> *Jon.*
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
