Hello, In my SEC rules I using pattern match cache. I would like to know is the pattern match cache content after injection of synthetics event. Is there any possibility to clear record from pattern match cache on demand?
Consider the following SEC rule config (t.sec) : ---------------------------------------------------- rem=Rule 1 type=Single ptype=RegExp pattern=(?<EVENT>\S+) (?<TYPE>Problem|Resolution) varmap=MY_EVENT context=!_INTERNAL_EVENT continue=TakeNext desc=Parse My Event action=write - R1: Parsing my event rem=Rule 2 type=Single ptype=RegExp pattern=SYNTHETIC (?<EVENT>\S+) (?<TYPE>Problem|Resolution) varmap=SYNTHETIC_EVENT context=_INTERNAL_EVENT continue=TakeNext desc=Parse Synthetic Event action=write - R2: Parsing synthetic event rem=Rule 3 type=Single ptype=Cached pattern=MY_EVENT context=MY_EVENT :> ( sub { return $_[0]->{"TYPE"} eq "Problem"; } ) desc=Problem_$+{EVENT} action=write - R3: Problem: $+{EVENT} rem=Rule 4 type=Single ptype=Cached pattern=MY_EVENT context=MY_EVENT :> ( sub { return $_[0]->{"TYPE"} eq "Resolution"; } ) desc=Resolution_$+{EVENT} action=event 0 SYNTHETIC $0; write - R4: Injecting synthetic event rem=Rule 5 type=Single ptype=Cached pattern=SYNTHETIC_EVENT context=SYNTHETIC_EVENT :> ( sub { return $_[0]->{"TYPE"} eq "Resolution"; } ) desc=Resolution_$+{EVENT} action=write - R5: $0 Run the sec instance: sec -input=- -conf=./t.sec -intevents -intcontexts and put this input event: Event1 Resolution SEC will match: * Rule 1 * Rule 4 -> inject synthetic event * Rule 2 * Rule 4 * Rule 2 * Rule 4 * etc. I would expect that after synthetic event injection (2nd rule), sec will match 5th rule. As from doc: "Note that before processing each new input line, previous content of the pattern match cache is cleared." Instead of, it will match 2-4-2-4..etc rules. This means, that after first synthetics event injection (4th rule) and match by 2nd rule, pattern match cache must contains two match records: "MY_EVENT" and "SYNTHETIC_EVENT". Therefore rule 5 never match. One solution what I see is to add additional context test in rules 3-4-5 for presence of "_INTERNAL_EVENT" context. Question is, if is possible to "somehow" clear the content or given record from pattern cache after synthetics event injection to allow rule5 match? Thanks, Dusan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users