Hi,
In a singleWithTreshold rule, we want the action to report the N events
observed. We have been adding them to a context with a lifetime
expecting that such context would always have N (threshold) events.
However, we have noticed that, because of the sliding window nature of
the correlation, the context content gets out of sync with the
correlation (sometimes the context has less events than the threshold,
sometimes more).
This is our current (improved) solution:
type=single
ptype=regexp
continue=takenext
desc=from $1
pattern=from (.+)
context=!EVENT_STORE
action=create EVENT_STORE
type=single
ptype=regexp
continue=takenext
desc=from $1
pattern=from (.+)
context=EVENT_STORE
action=add EVENT_STORE $0; set EVENT_STORE 10;
type=singlewiththreshold
window=10
thresh=3
ptype=regexp
continue=takenext
desc=from
pattern=from (.+)
context=EVENT_STORE
action=report EVENT_STORE /usr/bin/cat; delete EVENT_STORE;
action2=delete EVENT_STORE;
But it is not perfect, for there are still cases when the context ends
up holding more events than the threshold.
Is it possible to have a context with the exact events that are part of
the correlation operation?
Regards,
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
