I want to create a rule that simply tells me that I'm getting messages from a particular log file. I'm maintaining this state information in a context and reset the TTL of the context when I get a message. I'm also using -intcontexts to distinguish that I'm getting the message from that log file. My rule is like this:
type=Single continue=TakeNext context=[_FILE_EVENT_/var/log/test_log && TEST_ALIVE] desc=reset TEST_ALIVE context ttl to 120 action= set TEST_ALIVE 120 Basically, I just want to reset the context TTL, and move on to the other rules. However, I'm getting these types of error messages: Keyword 'pattern' missing (needed for SINGLE rule) Keyword 'ptype' missing (needed for SINGLE rule) I suppose I can just put a simple pattern like: ptype=regexp pattern=^. But that would be an extra operation and I wonder if there is a more efficient way? Thanks, Bond ------------------------------------------------------------------------------ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
