Thank you Risto. Regards. 2016-07-22 16:02 GMT+02:00 Risto Vaarandi <[email protected]>:
> > > 2016-07-22 14:54 GMT+03:00 Risto Vaarandi <[email protected]>: > >> hi Jaren, >> >> >> 2016-07-22 13:29 GMT+03:00 Jaren Peich <[email protected]>: >> >>> Thank you for your tips, i haven´t realised. >>> >>> The problem that i have it is i want to validate the context with the >>> perl function.I only want to process current date inputs comparing system >>> date and input date and analyse the events that ocurred this date. >>> >>> Jul 19 16:02:42 --->I dont want to analyse >>> Jul 22 11:07:42 --->I need to analyse >>> Jul 21 12:08:42 --->I dont want to analyse >>> Jul 22 10:07:42 --->I need to analyse >>> >>> I have to check the date of the event with the prel function and >>> validate the context, this is the way that i thought. Is this possible? >>> >> >> >> ... >> >> try to use the following code block: >> >> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\ >> > > you actually don't need the previous line -- I mistakenly > copied-and-pasted it into the rule. Didn't notice it immediately, though, > since the following statement overwrites all variables with correct values > :) > risto > > >> ($mes,$dia,$hora,$anno)=split(" ",$_[0]);\ >> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = >> localtime(time);\ >> $mon=$mon+1;\ >> $year=$year+1900;\ >> $wday=$wday+1;\ >> if (!defined($anno)) { $anno = $year; } \ >> return ($dia != $mday || $monnum{$mes} != $mon || $anno != $year); \ >> }) >> >> Since this contextual expression evaluates true for all past and future >> dates, the Suppress rule will not pass events with such dates to further >> rules. The only events which the Suppress rule does not match are the ones >> with the current date, and therefore further rules can process them. >> >> hope this helps, >> risto >> >> >>> >>> Regards. >>> >>> 2016-07-21 14:17 GMT+02:00 Risto Vaarandi <[email protected]>: >>> >>>> hi Jaren, >>>> what do you mean by validating the Suppress rule -- did you mean >>>> debugging it, in order to identify potential faults in the rule? I had a >>>> quick look into the rule and actually noticed few things which could be >>>> fixed. >>>> >>>> Apparently, the Suppress rule assumes that the $+{date} match variable >>>> holds a date in the following format: Jul 19 16:07:42 >>>> (The same format is used for timestamps in BSD syslog messages.) >>>> >>>> However, the Perl code in the context expression of the Suppress rule >>>> parses this timestamp in the following way: >>>> >>>> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]); >>>> >>>> This means that $diaSem will be set to month (e.g., Jul), $mes will be >>>> set to day of the month (e.g., 19), and $dia will be set to >>>> hours-minutes-seconds (e.g., 16:07:42). As for $hora and $anno, day will >>>> remain uninitialized. This is probably not what you want, and to cope with >>>> BSD syslog timestamps, the following parsing statement is probably a better >>>> option: >>>> >>>> ($mes,$dia,$hora,$anno)=split(" ",$_[0]); >>>> >>>> Nevertheless, that would still leave $anno variable undefined, since >>>> the timestamp does not hold the year information. To fix this, you could >>>> simply set $anno to the current year number if it wasn't set by the parsing >>>> statement. For example (the relevant statement is in the third line): >>>> >>>> print "\nSystem:$mday###$mon###$year\n";\ >>>> print "\nLog:$dia##$mes##$monnum{$mes}\n";\ >>>> if (!defined($anno)) { $anno = $year; } \ >>>> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\ >>>> >>>> I think the Suppress rule should now work in a better way for you, and >>>> it should be able to catch events for previous days of the same month. >>>> >>>> kind regards, >>>> risto >>>> >>>> >>>> 2016-07-21 13:48 GMT+03:00 Jaren Peich <[email protected]>: >>>> >>>>> Hi risto, >>>>> >>>>> I have a doubt about a Suppress rule. >>>>> >>>>> Scene: >>>>> >>>>> Input:Jul 19 16:07:42 down >>>>> >>>>> File 1_Extract_field.conf: >>>>> >>>>> type = Jump >>>>> ptype = RegExp >>>>> desc = $0 >>>>> continue = takenext >>>>> pattern = (\w+\s\d+\s\d+:\d+:\d+)\s(\w+) >>>>> varmap = rule;date=1;action=2; >>>>> cfset = rulesOP >>>>> >>>>> >>>>> File 2_Filter_Conditions: >>>>> >>>>> type = Options >>>>> joincfset = rulesOP >>>>> procallin = no >>>>> >>>>> >>>>> type = Suppress >>>>> ptype = Cached >>>>> pattern = rule >>>>> context = $+{date} ->(sub{%monnum = ('Jan' => 1, 'Feb' => 2, 'Mar' => >>>>> 3, 'Apr' => 4, 'May' => 5, 'Jun' => 6, 'Jul' => 7, 'Aug' => 8, 'Sep' => 9, >>>>> 'Oct' => 10, 'Nov' => 11, 'Dec' => 12);\ >>>>> ($diaSem,$mes,$dia,$hora,$anno)=split(" ",$_[0]);\ >>>>> my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = >>>>> localtime(time);\ >>>>> $mon=$mon+1;\ >>>>> $year=$year+1900;\ >>>>> $wday=$wday+1;\ >>>>> print "\nSystem:$mday###$mon###$year\n";\ >>>>> print "\nLog:$dia##$mes##$monnum{$mes}\n";\ >>>>> if($dia<$mday && $monnum{$mes}==$mon && $anno == $year)\ >>>>> {\ >>>>> return TRUE;\ >>>>> }else{\ >>>>> return FALSE;\ >>>>> }}) >>>>> >>>>> type = Jump >>>>> ptype = Cached >>>>> continue = Takenext >>>>> pattern = rule >>>>> context = $+{action} ->(sub{$_[0] =~ m/down/gi}) >>>>> cfset = rule-Alert >>>>> >>>>> File 3_Alert_Launch: >>>>> >>>>> type = Options >>>>> joincfset = rule-Alert >>>>> procallin = no >>>>> >>>>> >>>>> type = SingleWithThreshold >>>>> ptype = Cached >>>>> continue = TakeNext >>>>> pattern = rule >>>>> window = 300 >>>>> thresh = 10 >>>>> desc = $+{event_date} >>>>> action = eval %o (print "Launch Alert";); >>>>> >>>>> >>>>> Problem: I don´t know how to validate o not to validate the suppress >>>>> rule depending the if code.Suppress or not suppress the input. >>>>> >>>>> Thank you in advance!. Regards Risto. >>>>> >>>>> >>>>> >>>> >>> >> >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
