hi Kamil,
since you want to count 'bar' events without having any particular time
constraint imposed for counting, this task can be accomplished without rules
that involve event correlation with a specific window (such as
SingleWithThreshold). In my opinion, it is best to use simple Perl-based
counters that are maintained from Single rules, for example:
type=Single
ptype=RegExp
pattern=(\S+): foo
desc=reset counting for $1 when foo appears
action=lcall %o $1 -> ( sub { $count{$_[0]} = 0 } )
type=Single
ptype=RegExp
pattern=(\S+): bar
context=$1 -> ( sub { if (!exists $count{$_[0]}) { return 0; } \
++$count{$_[0]}; return ($count{$_[0]} > 3); } )
desc=count bar for $1
action=write - More than 3 bars have been seen after foo for host $1
This ruleset maintains a custom event counter for each host in the 'count' hash
table, setting the counter to 0 on foo event (the first rule), and incrementing
the counter on bar (the second rule). The second rule not only increments the
counter but also checks if its value is greater that 3, setting the truth value
of the context expression in 'context' field to TRUE if that's the case (as
long as the value is FALSE, the action in the 'action' field is not executed).
If foo reappears for the host, its counter is set back to 0 and event counting
for this host will start from scratch.
There are a number of other approaches for tackling the same task (e.g., one
can push bar events into host based contexts and check their sizes with
'getsize' action), but the above approach is probably the most efficient one.
kind regards,
risto
________________________________
From: Kamil B <kamil4...@gmail.com>
Sent: Thursday, January 11, 2018 4:29 PM
To: simple-evcorr-users@lists.sourceforge.net
Subject: [Simple-evcorr-users] Ignore first n 'bar' if 'foo' occurs
Hello, can you help me?
I need to count occours 'bar' for host1, host2 etc... (independently).
But I must ignore fist n (for example first 3) occurs 'bar' after 'foo'
In other words I need count video errors (bar), but exclude 3 video errors
after each channel change (foo).
But if 'foo' occurs the fourth time and more for host, action must be executed.
So if: I have a logfile with:
0 host1: foo
1 host1: bar
2 host1: bar
3 host1: bar
0 host1: foo
1 host1: bar
0 host1: foo
0 host1: foo
1 host1: bar
nothing happen
but If:
0 host1: foo
1 host1: bar
2 host1: bar
3 host1: bar
4 host1: bar < trigger action
5 host1: bar < trigger action
0 host1: foo
1 host1: bar
etc.
Is is possible with sec?
How to do that?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
