hi Roni,
in the case of SingleWithThreshold rule (and other counting rules), variables
in the 'action' field are indeed substituted when the first matching event
appears and the counting operation is initialized. One reason for this is the
following -- not all event correlation operations execute an action when a
matching event appears, but in some cases (e.g., PairWithWindow operations) the
execution is triggered by system clock. In such cases, it is not possible to
set match variables to any values. To have the substitution done in the same
way for all operations, variables are substituted when the operation starts
(all operations are started by some event and thus match variables can be
accessed at that moment).
However, there is an easy solution for addressing the problem you have
described. Each SingleWithThreshold rule can be expressed as an EventGroup
rule, but the latter has several extra fields for extended counting
functionality. One such field is the 'count' field which allows for executing
an action each time an operation sees a new event. Since the 'count' field
defines repeated execution, variables in its action list are substituted before
each execution. Therefore, one can write the following rule:
type=EventGroup
ptype=RegExp
pattern=test (\d+)
desc=test number $1
count=assign %currentline $0
action=write - the line that finally triggered the action is: %currentline; \
write - the line that started the event correlation operation is: $0
thresh=3
window=60
If a line matches the above rule and is processed by a counting operation, the
%currentline action list variable is set to this line. If this line fulfills
the threshold condition, the execution of the 'count' field is immediately
followed by the execution of the 'action' field, and thus %currentline holds
the line that triggered the action. For example, if you provide the following
input events to the above rule:
Nov 21 11:30:52 test 1
Nov 21 11:30:59 test 1
Nov 21 11:31:05 test 1
a counting operation is started with opstring "test number 1", and this
operation prints out the following two lines when the threshold is reached:
the line that finally triggered the action is: Nov 21 11:31:05 test 1
the line that started the event correlation operation is: Nov 21 11:30:52 test 1
(the second line reflects the fact that variable substitution for the 'action'
field was done when the operation started)
Hope this helps,
risto
________________________________
From: Riska, Roni (Nokia - FI/Espoo) <roni.ri...@nokia.com>
Sent: Tuesday, November 21, 2017 9:57 AM
To: simple-evcorr-users@lists.sourceforge.net
Subject: [Simple-evcorr-users] Get last event in SingleWithThreshold rule
Hello,
The question is if I can get the last triggering event line when using rule
type SingleWithThreshold?
The match variable $0 gives the first event that started the correlation for
this rule but I would like to
get the last event that triggered the action for the rule and use that in the
rule action. In this case I would
just write the event to standard output.
I know I could do this using two rules and a context that holds the event but I
was wondering if there would
be some simpler way, without additional rules. Like, accessing the input buffer
or something like that.
Thanks
Roni
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
