Hello SEC Users,
I using SingleWithSuppress rule to process timestamped input events. I want to
take action after 2nd event occurrence within 60 seconds.
Problem what I have is that after second event match, action is taken and event
($0) is written to the output but it use timestamp of first received event
(that one what started correlation operation).
On the output I would like to see the *timestamp* of the second event or more
general whole input message of second event as is.
Let me demonstrate this on example:
Config File: ccr.sec
rem=Parse My Event
type=Single
ptype=RegExp
pattern=^\S+ (?<EVENT>\S+)
varmap=MY_EVENT
continue=TakeNext
desc=Parse Event
action=none
rem=Rule1
type=SingleWithThreshold
ptype=Cached
pattern=MY_EVENT
desc=Rule1 $+{EVENT}
action=write - $0
window=60
thresh=2
Run sec: sec -conf=./ccr.sec -input=-
Input following line:
2018-11-11T00:00:01+00:00 Event1
2018-11-11T00:00:02+00:00 Event1
2018-11-11T00:00:03+00:00 Event1
Output action:
Writing event '2018-11-11T00:00:01+00:00 Event1' to file '-'
What I want to achieve / see:
Writing event '2018-11-11T00:00:02+00:00 Event1' to file '-'
Thanks,
Dusan
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
