On Sun, 11 Oct 2015, Bond Masuda wrote: > I know this question might be more general than the topic of SEC, but > they are closely related, and I want to implement using SEC. > > So, here is my question. I want to correlate 2 events, but the 2nd event > (in time) will tell me what to look for in the 1st event. For example, > > 1st event: msgid=<UUID>, msg=<XXXXX> > > 2nd event: event=<YYYYY> id=<UUID> > > I do not know ahead of time the UUID in the 1st message. When I match on > event=<YYYYY>, I can extract the UUID, but now I want to see if there > was a message previously with that UUID as msgid=<UUID> and extract the > msg=<XXXXX> content and correlate event 1 with event 2. > > How can I accomplish this in SEC?
looking at the problem generically, you have two ways to do this 1. keep X messages around so that you can look back at the prior messages 2. keep track of every msgid=<UUID> in case you need it later. which approach is most efficient depends on how many false positives #2 would produce vw the amount of dta that needs to be tracked for #1 In general, you tend to know how the max amount of time between the two logs much more than the number of logs that could happen between the two events. So trying to keep all the old data around so you can look back through it is probably more expensive. So what you want to do is to look for every instance of the 1st event and track it, but only take action if the second event also takes place. SEC offers two approaches to doing this manually (detect the first event, set a context that will expire in X tiem and do nothing when it expires) pair of events where it notices the first event and if the second event triggers, an action is taken David Lang ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
