I would second to recommendations from David, and I would advise to start with looking into examples of Pair and PairWithWindow rules in official documentation: http://simple-evcorr.github.io/man.html#lbAO http://simple-evcorr.github.io/man.html#lbAP
Also, as David mentioned, correlating event pairs can also be accomplished with contexts -- if 1st event appears and you create a context with the name that contains the event UUID, you can check for the presence of this context when the 2nd event with the same UUID appears. hope this helps, risto 2015-10-11 22:27 GMT+03:00 Bond Masuda <bond.mas...@jlbond.com>: > I know this question might be more general than the topic of SEC, but > they are closely related, and I want to implement using SEC. > > So, here is my question. I want to correlate 2 events, but the 2nd event > (in time) will tell me what to look for in the 1st event. For example, > > 1st event: msgid=<UUID>, msg=<XXXXX> > > 2nd event: event=<YYYYY> id=<UUID> > > I do not know ahead of time the UUID in the 1st message. When I match on > event=<YYYYY>, I can extract the UUID, but now I want to see if there > was a message previously with that UUID as msgid=<UUID> and extract the > msg=<XXXXX> content and correlate event 1 with event 2. > > How can I accomplish this in SEC? > > Thanks, > Bond > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
