[Simple-evcorr-users] Suppress validation rule

Thu, 21 Jul 2016 03:50:36 -0700 

Hi risto,

I have a doubt about a Suppress rule.

Scene:

Input:Jul 19 16:07:42 down

File 1_Extract_field.conf:

type     = Jump
ptype    = RegExp
desc     = $0
continue = takenext
pattern  = (\w+\s\d+\s\d+:\d+:\d+)\s(\w+)
varmap   = rule;date=1;action=2;
cfset  = rulesOP


File 2_Filter_Conditions:

type      = Options
joincfset = rulesOP
procallin = no


type     = Suppress
ptype    = Cached
pattern  = rule
context = $+{date} ->(sub{%monnum = ('Jan' => 1, 'Feb' => 2, 'Mar' => 3,
'Apr' => 4, 'May' => 5, 'Jun' => 6, 'Jul' => 7, 'Aug' => 8, 'Sep' => 9,
'Oct' => 10, 'Nov' => 11, 'Dec' => 12);\
($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);\
$mon=$mon+1;\
$year=$year+1900;\
$wday=$wday+1;\
print "\nSystem:$mday###$mon###$year\n";\
print "\nLog:$dia##$mes##$monnum{$mes}\n";\
if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\
{\
return TRUE;\
}else{\
return FALSE;\
}})

type     = Jump
ptype    = Cached
continue = Takenext
pattern  = rule
context = $+{action} ->(sub{$_[0] =~ m/down/gi})
cfset    = rule-Alert

File 3_Alert_Launch:

type      = Options
joincfset = rule-Alert
procallin = no


type     = SingleWithThreshold
ptype    = Cached
continue = TakeNext
pattern  = rule
window   = 300
thresh   = 10
desc     = $+{event_date}
action   = eval %o (print "Launch Alert";);


Problem: I donĀ“t know how to validate  o not to validate the suppress rule
depending the if code.Suppress or not suppress the input.

Thank you in advance!. Regards Risto.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to