hi Stuart,
you are on the right track and the PerlFunc pattern in your rule properly
maps the integer into a string. As explained in the documentation section
of different pattern types (see http://simple-evcorr.github.io/man.html#lbAG),
return values from the PerlFunc pattern function initialize match variables
$1, $2, etc. It is similar how RegExp pattern sets match variables, but
this time the variables and their values are not defined by regular
expression capture groups, but rather by values that you return from the
function.
Since your rule returns only one value, it sets the $1 variable ($0 is set
to the entire matching line automatically by SEC). For example, the
following rule will write the string "down event with color <colortext>" to
standard output for each matching event:
type=Single
ptype=PerlFunc
pattern = sub { \
my %hash = ( 1 => "red", 2 => "green", 3 => "blue" ); \
my $line = $_[0]; \
my ($node) = ($line) =~ /down: (\d+)/; \
my $color = $hash{$node}; \
return $color; }
desc=extract color
action=write - down event with color $1
One side note -- if you are going to use %hash with integer-color mappings
in more than one pattern, I would recommend to make it a global hash that
is set once when SEC starts (this also requires --intevents command line
option). That would avoid unnecessary creation of the same hash in each
rule:
type=Single
ptype=SubStr
pattern=SEC_STARTUP
context=SEC_INTERNAL_EVENT
desc=initialize integer-color mapping table
action=lcall %o -> ( sub { %hash = ( 1 => "red", 2 => "green", 3 => "blue"
) } )
type=Single
ptype=PerlFunc
pattern = sub { \
my $line = $_[0]; \
my ($node) = ($line) =~ /down: (\d+)/; \
my $color = $hash{$node}; \
return $color; }
desc=extract color
action=write - down event with color $1
Using a global hash would also allow to convert the integer into color not
just in PerlFunc patterns, but in any part of the rule where Perl code can
be executed. For example, here is another version of the above rule which
uses a RegExp pattern for matching the event, and employs the 'lcall'
action for obtaining the color in the action list. The 'if' action is then
used to output a string only if the integer has a corresponding color:
type=Single
ptype=RegExp
pattern=down: (\d+)
desc=extract color
action=lcall %color $1 -> ( sub { $hash{$_[0]} } ); \
if %color ( write - down event with color %color )
I hope these examples are helpful.
kind regards,
risto
2017-07-25 15:53 GMT+03:00 Stuart Kendrick <stua...@alleninstitute.org>:
> I want to grab a string from a log line, return a hash value, and write
> that hash value
>
>
>
> e.g. I grab an integer from a log line and want to write a color
>
>
>
>
>
> LOG LINE
>
> 2017-07-25T04:31:10-07:00 server-foo … down: 3 ….
>
>
>
>
>
> PSEUDO-SEC CONFIG
>
> %hash = ( 1 => red, 2 => green, 3 => blue );
>
>
>
> type=Single
>
> ptype=RegExp
>
> pattern=down: (\d+)
>
> {somehow translate ‘3’ into ‘blue’}
>
> action = write - “Blue is down”
>
>
>
>
>
> MAN PAGE
>
> I’m reading https://simple-evcorr.github.io/man.html , focused on the
> Perl Integration section.
>
>
>
> type=Jump
>
> ptype=PerlFunc
>
> pattern = sub {
>
> my %hash = ( 1 => red, 2 => green, 3 => blue );
>
> my $line = $_[0];
>
> my ($node) = ($line) =~ /down: (\d+)/;
>
> my $color = $hash{$node};
>
> return $color;
>
> }
>
>
>
>
>
> QUESTION
>
> - Am I headed in the right direction?
> - Where would you point me next, in terms of reading about how to
> propagate “$color” into an ‘action’ line?
>
>
>
> --sk
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
