Hi Risto,
Sorry for my english. Thank you in advance.
I want to search the values added in the context SM_$+{subject} $+{mid} in
the file and the compare the email domains extracted between them and see
if they are equal.In the case that are equals show a message on the screen
if one of them is different just avoid it.
Input file:
email:Mid 52364 Subject:'Hello World'
email:Mid 52365 Subject:'Hello World'
email:Mid 52366 Subject:'Hello World'
email:Mid 52366 sender:'s...@sec.com'
email:Mid 52365 sender:'ja...@sec.com <sender%3a%27ja...@seco.com>'
email:Mid 52364 sender:'pe...@sec.com'
This input file creates the context 'SM_Hello World' capturing in this
context the following mids 52364, 52365 and 52366. Then i want to read this
mids(52364, 52365 and 52366) and search in the file and extract sender
value. In this example file:s...@sec.com <sender%3a%27...@sec.com>,
ja...@sec.com <sender%3a%27ja...@seco.com>, pe...@sec.com
<sender%3a%27pe...@sec.com>. After with a regexp i extract domain names and
save in an array in this case is @sec.com. After that i compare array
values between them and determinate if it is the same or not.
I was testing your idea a bit:(I modify firstly to avoid perl typos and be
sure that the code was OK). I left just a print message:
rem=detect mid y subject
type=Single
ptype=Regexp
pattern=email:Mid\s(\d+)\sSubject\:\'([^\']*)\'
varmap=SubjectMID;log=0;mid=1;subject=2
continue=TakeNext
desc=parser mid y subject
action=none
rem=create context and store first mid-count 2 and 3
type=EventGroup1
ptype=Cached
pattern=SubjectMID
context=SM_$+{subject}
thresh=2
window=60
count=add SM_$+{subject} $+{mid}
desc=create context by subject_$+{subject}
end=delete SM_$+{subject}
action = copy SM_$+{subject} %hashmids; lcall %o %hashmids -> ( \
print "\nArrive!!!!!";\
);reset 0;
rem=create context and store first mid-count 1
type=Single
ptype=Cached
pattern=SubjectMID
context=!SM_$+{subject}
continue=TakeNext
desc=create context by subject_$+{subject}
action=create SM_$+{subject} 60; add SM_$+{subject} $+{mid}
Output:
SEC (Simple Event Correlator) 2.6.2
Reading configuration from C:\prueba.conf
Rule in C:\prueba.conf at line 10: Eval 'print "\nArrive!!!!!";' didn't
return a code reference: 1
Rule in C:\prueba.conf at line 10: Invalid action list ' copy
SM_$+{subject} %hashmids; lcall %o %hashmids -> ( print
"\nArrive!!!!!";);reset 0; '
2 rules loaded from C:\prueba.conf
Opening input file C:\muestra.log
set the 'inode' to fileID 1475149703 for file C:\muestra.log
No such signal: SIGUSR1 at C:\sec line 10043.
No such signal: SIGUSR2 at C:\sec line 10046.
Stdin connected to terminal, SIGINT can't be used for changing the logging
level
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_STARTUP'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Creating context 'SM_Hello World'
Adding event(s) '52364' to context 'SM_Hello World'
Creating SEC internal context 'SEC_INTERNAL_EVENT'
Creating SEC internal event 'SEC_SHUTDOWN'
Deleting SEC internal context 'SEC_INTERNAL_EVENT'
Arrive!!!!!
Is it possible to pass to the perl function a changing context name
depending on the $+{subject} variable and process this data as i told you
before?
One create a 'SM_Hello World', other email context can be 'SM_Hello from
SEC', other one 'SM_Hallo Frank', 'SM_Julius notes', etc...
Finally in the first email i just added the perl function that i
designed to search
into the files this data.
This one(Not working, because i add notes text between ##########):
eval %o ( \
$i=0;\
my(@arraymids)=();\
####################################\
#Here i want to read again the context and extract the values. Add to the
array for processing.\
@midcont=("52366","52365","52364");\
###################################
@files = <C:\\files\\m*.log>;\
print "@files";\
if(@files){\
foreach $file (@files) {\
open (FILE, "$file");\
while($line= <FILE> ){\
my ($mid, $email)= $line=~ m/email:Mid\s(\d+)\ssender\:\'([^\']*)\'/gi;\
print "\n====>Vuelta\n";\
foreach my $lmid (@midcont) {\
print "\nMid fichero===>$mid\tlmid===>$lmid\n" if defined($mid);\
if ($mid == $lmid){\
my ($username, $domain) = $email =~ /(.*)@(.*)/;\
print "\nDOMAIN FINDED===>$domain\n";\
unshift(@arraymids, $domain);\
}\
}\
}\
}\
if($arraymids[0] eq $arraymids[1] && $arraymids[0] eq $arraymids[2]){\
print "\n=======>SAME DOMAIN\n";\
}else{\
print "\n=======>Different DOMAIN\n";\
}\
}else{\
print "========>NO FILES TO SEARCH";\
}\
);reset 0;
Thank you Risto again. Regards.
2016-10-01 12:50 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> 2016-09-30 12:20 GMT+03:00 Jaren Peich <burkol...@gmail.com>:
> > Hi Risto,
> >
> > I have a little doubt that i havenĀ“t seen in the documentation.
> > I want to detect and keep some data from the logs and then read the
> context
> > again and extract this data to process this info throught a perl
> function.
> >
>
> ...
>
> > action = eval %o ( \
> > $i=0;\
> > my(@arraymids)=();\
> > ####################################\
> > #Here i want to read again the context and extract the values. Add to the
> > array for processing.\
> > @midcont=("52366","52365","52364");\
> > ###################################
>
> I am still not sure whether I have understood the problem correctly,
> but if you would like to access the event store of the SEC context
> from a Perl function/expression, I would recommend to use the 'copy'
> action before the Perl code is invoked. For example, if the event
> store of context TEST contains events "test1", "test2" and "test3",
> then the following action
>
> copy TEST %events
>
> will set the action list variable %events to the following string
> "test1<NEWLINE>test2<NEWLINE>test3".
> After the %events variable has been set, you can pass it as an input
> parameter to the Perl function invoked with 'lcall' action. If you are
> using 'eval', the %events variable can be directly accessed from the
> Perl code, since it is substituted before each compilation and
> execution. (Again, I would take the opportunity and recommend the use
> of 'lcall' instead of 'eval', since 'lcall' is much more efficient.)
>
> kind regards,
> risto
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
