Hi Risto,
Thanks for the different options. I’ll have to try which would be the best for
my case.
Br,
Roni
From: Risto Vaarandi [mailto:risto.vaara...@gmail.com]
Sent: Friday, March 09, 2018 5:16 PM
To: Riska, Roni (Nokia - FI/Espoo) <roni.ri...@nokia.com>
Cc: simple-evcorr-users@lists.sourceforge.net
Subject: Re: [Simple-evcorr-users] PairWithWindow rule and timestamp of the
first event
hi Roni,
there are three ways how this problem can be tackled. If your events contain
timestamps, the simplest solution is to extract a timestamp from event and set
a match variable for holding the timestamp. For example, if events always have
a numerical timestamp as a prefix, you could use the following rule:
type=PairWithWindow
ptype=RegExp
pattern=^(\d+): BEGIN
desc=BEGIN appeared at $1 without END after 15 seconds
action=write - %s
ptype2=RegExp
pattern2=^(\d+): END
desc2=BEGIN appeared at %1 with END at $1
action2=write - %s
window=15
In this simple example, timestamp is always assigned to $1 variable which
allows to retrieve it later (either by referring to $1 or %1).
However, if your events do *not* contain timestamps, the following issue will
arise -- if the PairWithWindow rule will see a valid pair of events, it is
possible to utilize %u or %t variable to get the current time which also
reflects the occurrence time of the second event in the pair. However, there is
no way for accessing the occurrence time of the first event via some predefined
variable (the same problem will come up if you don't have a valid pair, but
just the first event *without* the second).
In order to address this issue and obtain the occurrence time of the first
event, we can rely on the following observation -- the occurrence time of the
first event is equal to the beginning of the event correlation window. However,
the latter value can be retrieved from any event correlation operation with the
'getwpos' action. This will lead us to the following solution:
type=PairWithWindow
ptype=RegExp
pattern=^BEGIN
desc=BEGIN has been seen
action=getwpos %time 0 BEGIN has been seen; \
write - BEGIN appeared at %time without END after 15 seconds
ptype2=RegExp
pattern2=^END
desc2=END has been seen
action2=getwpos %time 0 BEGIN has been seen; \
write - BEGIN appeared at %time with END at %u
window=15
As you can see, the example events do not have timestamps. However, in 'action'
and 'action2' fields 'getwpos' action is used for getting the window position
of the PairWithWindow operation itself (0 indicates current rule and "BEGIN has
been seen" is the operation description string which is set by 'desc' field).
Note that by using non-zero offsets and custom string values, it is possible to
retrieve window positions of other active event correlation operations.
Furthermore, if one employs 'setwpos' action, the windows of other operations
can even be moved further in time. However, in the above example the operation
simply queries its own window position which is the same as the occurrence time
of the first event.
So what is the third way for addressing this task? Alongside with
PairWithWindow rule, one can simply implement a Single rule which simply
matches the first event of the pair and saves its occurrence time for further
use. For example:
type=Single
ptype=RegExp
pattern=^BEGIN (\d+)
context=!CONTEXT_$1
continue=TakeNext
desc=save timestamp
action=add CONTEXT_$1 %t
type=PairWithWindow
ptype=RegExp
pattern=^BEGIN (\d+)
desc=BEGIN $1
action=copy CONTEXT_$1 %time; delete CONTEXT_$1; \
write - BEGIN $1 appeared at %time without END after 15 seconds
ptype2=RegExp
pattern2=^END $1
desc2=END
action2=copy CONTEXT_%1 %time; delete CONTEXT_%1; \
write - BEGIN %1 appeared at %time with END at %t
window=15
In the above example, the PairWithWindow rule can start several operations
which run simultaneously, treating the numerals that follow BEGIN and END as
pair identifiers (in other words, events BEGIN 12 and END 12 form a valid pair,
since they share the same numeric ID 12). The above example also employs
textual timestamps, and for holding the timestamp of the first event, the
context CONTEXT_<pair-id> is used. The context will be removed by
PairWithWindow operation when it finishes, no matter whether it executes
'action' or 'action2' in the end.
I understand that this is a lengthy e-mail, but I just wanted to outline all
the options you have. Perhaps other list members can suggest additional and
even better ways for tackling this task :)
kind regards,
risto
2018-03-09 15:17 GMT+02:00 Riska, Roni (Nokia - FI/Espoo)
<roni.ri...@nokia.com<mailto:roni.ri...@nokia.com>>:
Hello,
I’m using a PairWithWindow rule and I want to get the first and second event
and their timestamps in the action/action2.
I know that can get the first event with %0 and second with $0 in the action2,
and first event with $0 in action.
But how can I get the timestamp when SEC received the first event?
Is it even possible to get that?
Br,
Roni
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net<mailto:Simple-evcorr-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
