hi Shashi, I tested the rule quickly against the following input line that you provided in your previous post:
Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed In my quick test, I set the window parameter of the PairWithWindow rule to 1, in order to see if the 'pattern' field matches this line, and if the action in the 'action' field gets triggered after 1 second. At least in my case, the rule is working perfectly: sec --conf=test-sec.conf --input=- SEC (Simple Event Correlator) 2.7.8 Reading configuration from test-sec.conf 1 rules loaded from test-sec.conf No --bufsize command line option or --bufsize=0, setting --bufsize to 1 Opening input file - Interactive process, SIGINT can't be used for changing the logging level Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed <--- that's the line I typed to sec standard input Executing shell command 'perl /etc/syslog-config/send2mom/sec_s2m_v2.pl --targetparent san-w170-dcr-sw-02-mgmt --target 2 --notifying_group NETRS --severity MAJOR --kpi Network --pattern "SATCTRL-FEX107-2-SOHMS_DIAG_ERROR:" --log "SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed" --source SEC --sendevent on' <--- and that's a sec debug message which indicates the action execution Are you sure that your sec instance actually observed that event? Also, since the event correlation window is fairly large (3600 seconds), are you sure sec was not restarted while the event correlation operation was running? regards, risto 2016-09-08 23:43 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com>: > My bad ,sent the wrong rule. > > > > Here is the correct SEC rule that I have in production. > > > > type=pairWithWindow > > ptype=regexp > > continue=dontcont > > pattern=Date=.* ,Device=(\S+) > ,Msg=.*%((SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).*power > supply (\d): failed.*) > > desc=$1 $3 $4 > > action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl > --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR > --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on > > ptype2=regexp > > pattern2=Date=.* ,Device=($1) > ,Msg=.*((%SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).* > Recovered: .* supply (\d): failed) > > desc2=logonly > > action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, > Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> > /local/mnt/workspace/logs/sec-logs/sec-messages.log > > window=3600 > > > > Thanks, > > Shashi > > > > *From:* Risto Vaarandi [mailto:risto.vaara...@gmail.com] > *Sent:* Thursday, September 08, 2016 12:31 PM > *To:* Ganji, Shashirekha Yadav <shash...@qualcomm.com> > *Cc:* simple-evcorr-users@lists.sourceforge.net > *Subject:* Re: Pairwithwindow rule > > > > hi Shashi, > > there appears to be a subtle difference between the regular expression and > the event you are trying to match. When you take a closer look at the > regular expression, you will notice that it contains the following fragment: > > %SATCTRL-FEX101-2 > > However, the event from the log file contains the substring > "%SATCTRL-FEX107-2" > which doesn't match the above construct. To fix the regular expression and > make it work for both 101 and 107, you could use the construct 10[17] or > perhaps just \d+. > > kind regards, > > risto > > > > > > 2016-09-08 22:11 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com > >: > > > > Hi All, > > > > Is there any problem in this rule?? > > > > Rule was all working good but suddenly stopped working by not matching the > first pattern. > > > > ## Rule: 30(Nexus Extender power supply) Environment alert regarding power > supply failure `It will suppress alarm if power supply recovers within an > hour > > > > type=pairWithWindow > > > > ptype=regexp > > > > continue=dontcont > > > > pattern=Date=.* ,Device=(\S+) > ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).*power > supply (\d): failed) > > > > desc=$1 $3 $4 > > > > action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl > --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR > --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on > > > > ptype2=regexp > > > > pattern2=Date=.* ,Device=($1) ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).* > Recovered: .* supply (\d): failed) > > > > desc2=logonly > > > > action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, > Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> > /local/mnt/workspace/logs/sec-logs/sec-messages.log > > window=3600 > > > > To be matched data: > > > > Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 > 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor > alarm on power supply 2: failed > > > > Thanks, > > SHashi > > > > > > >
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
