Hello,
In my SEC rules I using pattern match cache. I would like to know is the
pattern match cache content after injection of synthetics event. Is there any
possibility to clear record from pattern match cache on demand?
Consider the following SEC rule config (t.sec) :
----------------------------------------------------
rem=Rule 1
type=Single
ptype=RegExp
pattern=(?<EVENT>\S+) (?<TYPE>Problem|Resolution)
varmap=MY_EVENT
context=!_INTERNAL_EVENT
continue=TakeNext
desc=Parse My Event
action=write - R1: Parsing my event
rem=Rule 2
type=Single
ptype=RegExp
pattern=SYNTHETIC (?<EVENT>\S+) (?<TYPE>Problem|Resolution)
varmap=SYNTHETIC_EVENT
context=_INTERNAL_EVENT
continue=TakeNext
desc=Parse Synthetic Event
action=write - R2: Parsing synthetic event
rem=Rule 3
type=Single
ptype=Cached
pattern=MY_EVENT
context=MY_EVENT :> ( sub { return $_[0]->{"TYPE"} eq "Problem"; } )
desc=Problem_$+{EVENT}
action=write - R3: Problem: $+{EVENT}
rem=Rule 4
type=Single
ptype=Cached
pattern=MY_EVENT
context=MY_EVENT :> ( sub { return $_[0]->{"TYPE"} eq "Resolution"; } )
desc=Resolution_$+{EVENT}
action=event 0 SYNTHETIC $0; write - R4: Injecting synthetic event
rem=Rule 5
type=Single
ptype=Cached
pattern=SYNTHETIC_EVENT
context=SYNTHETIC_EVENT :> ( sub { return $_[0]->{"TYPE"} eq "Resolution"; } )
desc=Resolution_$+{EVENT}
action=write - R5: $0
Run the sec instance:
sec -input=- -conf=./t.sec -intevents -intcontexts
and put this input event:
Event1 Resolution
SEC will match:
* Rule 1
* Rule 4 -> inject synthetic event
* Rule 2
* Rule 4
* Rule 2
* Rule 4
* etc.
I would expect that after synthetic event injection (2nd rule), sec will match
5th rule.
As from doc: "Note that before processing each new input line, previous content
of the pattern match cache is cleared."
Instead of, it will match 2-4-2-4..etc rules.
This means, that after first synthetics event injection (4th rule) and match by
2nd rule, pattern match cache must contains two match records: "MY_EVENT" and
"SYNTHETIC_EVENT".
Therefore rule 5 never match.
One solution what I see is to add additional context test in rules 3-4-5 for
presence of "_INTERNAL_EVENT" context.
Question is, if is possible to "somehow" clear the content or given record from
pattern cache after synthetics event injection to allow rule5 match?
Thanks,
Dusan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
