Hi,
I did another approach. I hope help you or another one in the group.
Log example.
2017-07-25T04:31:10-07:00 server-foo … down: 1 ….
2017-07-25T04:31:10-07:00 server-foo … down: 2 ….
2017-07-25T04:31:10-07:00 server-foo … down: 3 ….
Rule:
type = Single
ptype = regexp
pattern = .*down:\s+(\d+)
desc = -
action = eval %o (\
my($cl)="";\
$color{1} = "Red";\
$color{2} = "Green";\
$color{3} = "Blue";\
if (exists($color{$1})) \
{$cl = $color{$1}; }\
$string = "$cl is down(written from Perl)";\
print $string ."\n";\
return $cl;\
); write - %o is down(written from Action);
Risto thank you for your explanations!.
Regards.
2017-07-25 23:47 GMT+02:00 Risto Vaarandi <risto.vaara...@gmail.com>:
> hi Stuart,
>
> you are on the right track and the PerlFunc pattern in your rule properly
> maps the integer into a string. As explained in the documentation section
> of different pattern types (see http://simple-evcorr.github.
> io/man.html#lbAG), return values from the PerlFunc pattern function
> initialize match variables $1, $2, etc. It is similar how RegExp pattern
> sets match variables, but this time the variables and their values are not
> defined by regular expression capture groups, but rather by values that you
> return from the function.
> Since your rule returns only one value, it sets the $1 variable ($0 is set
> to the entire matching line automatically by SEC). For example, the
> following rule will write the string "down event with color <colortext>" to
> standard output for each matching event:
>
> type=Single
> ptype=PerlFunc
> pattern = sub { \
> my %hash = ( 1 => "red", 2 => "green", 3 => "blue" ); \
> my $line = $_[0]; \
> my ($node) = ($line) =~ /down: (\d+)/; \
> my $color = $hash{$node}; \
> return $color; }
> desc=extract color
> action=write - down event with color $1
>
> One side note -- if you are going to use %hash with integer-color mappings
> in more than one pattern, I would recommend to make it a global hash that
> is set once when SEC starts (this also requires --intevents command line
> option). That would avoid unnecessary creation of the same hash in each
> rule:
>
> type=Single
> ptype=SubStr
> pattern=SEC_STARTUP
> context=SEC_INTERNAL_EVENT
> desc=initialize integer-color mapping table
> action=lcall %o -> ( sub { %hash = ( 1 => "red", 2 => "green", 3 => "blue"
> ) } )
>
> type=Single
> ptype=PerlFunc
> pattern = sub { \
> my $line = $_[0]; \
> my ($node) = ($line) =~ /down: (\d+)/; \
> my $color = $hash{$node}; \
> return $color; }
> desc=extract color
> action=write - down event with color $1
>
> Using a global hash would also allow to convert the integer into color not
> just in PerlFunc patterns, but in any part of the rule where Perl code can
> be executed. For example, here is another version of the above rule which
> uses a RegExp pattern for matching the event, and employs the 'lcall'
> action for obtaining the color in the action list. The 'if' action is then
> used to output a string only if the integer has a corresponding color:
>
> type=Single
> ptype=RegExp
> pattern=down: (\d+)
> desc=extract color
> action=lcall %color $1 -> ( sub { $hash{$_[0]} } ); \
> if %color ( write - down event with color %color )
>
> I hope these examples are helpful.
>
> kind regards,
> risto
>
> 2017-07-25 15:53 GMT+03:00 Stuart Kendrick <stua...@alleninstitute.org>:
>
>> I want to grab a string from a log line, return a hash value, and write
>> that hash value
>>
>>
>>
>> e.g. I grab an integer from a log line and want to write a color
>>
>>
>>
>>
>>
>> LOG LINE
>>
>> 2017-07-25T04:31:10-07:00 server-foo … down: 3 ….
>>
>>
>>
>>
>>
>> PSEUDO-SEC CONFIG
>>
>> %hash = ( 1 => red, 2 => green, 3 => blue );
>>
>>
>>
>> type=Single
>>
>> ptype=RegExp
>>
>> pattern=down: (\d+)
>>
>> {somehow translate ‘3’ into ‘blue’}
>>
>> action = write - “Blue is down”
>>
>>
>>
>>
>>
>> MAN PAGE
>>
>> I’m reading https://simple-evcorr.github.io/man.html , focused on the
>> Perl Integration section.
>>
>>
>>
>> type=Jump
>>
>> ptype=PerlFunc
>>
>> pattern = sub {
>>
>> my %hash = ( 1 => red, 2 => green, 3 => blue );
>>
>> my $line = $_[0];
>>
>> my ($node) = ($line) =~ /down: (\d+)/;
>>
>> my $color = $hash{$node};
>>
>> return $color;
>>
>> }
>>
>>
>>
>>
>>
>> QUESTION
>>
>> - Am I headed in the right direction?
>> - Where would you point me next, in terms of reading about how to
>> propagate “$color” into an ‘action’ line?
>>
>>
>>
>> --sk
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
