hi Dusan,
the problem lies in the fact that when SingleWithThreshold rule starts a
counting operation, match variables in the 'action' field receive their
values from the first event which triggered that operation (that is done
for staying consistent with substitution of variables in other fields,
where values from first event have to be used). In order to solve this
issue, the best solution is to employ EventGroup rule instead of
SingleWithThreshold, since EventGroup is a more general counting rule that
supports a number of useful extensions.
One such extension is support for the 'count' field which allows for
executing action(s) on each matching event. Unlike 'action' field, match
variables in 'count' field are set from *each* matching event. For example,
consider the following rule:
type=EventGroup
ptype=RegExp
pattern=.
desc=count any event
count=assign %lastline $0
action=write - %lastline
thresh=3
window=60
After each matching event, action list variable %lastline is set to the
current event, and when the third matching event is observed in 60 second
time window, this event is written to standard output. Since unlike match
variables in 'action' field, action list variables like %lastline are
always substituted at action list execution, %lastline will hold the value
of last matching line.
For employing this technique for your ruleset, EventGroup rule could be
used in the following fashion:
rem=Parse My Event
type=Single
ptype=RegExp
pattern=^\S+ (?<EVENT>\S+)
varmap=MY_EVENT
continue=TakeNext
desc=Parse Event
action=none
rem=Rule1
type=EventGroup
ptype=Cached
pattern=MY_EVENT
desc=Rule1 $+{EVENT}
count=assign %lastline $0
action=write - %lastline
window=60
thresh=2
When submitting three example events to this ruleset, the following output
should be displayed:
Assigning '2018-11-11T00:00:01+00:00 Event1' to variable '%lastline'
Assigning '2018-11-11T00:00:02+00:00 Event1' to variable '%lastline'
Writing event '2018-11-11T00:00:02+00:00 Event1' to file '-'
2018-11-11T00:00:02+00:00 Event1 <--- second event that was written to
standard output
Assigning '2018-11-11T00:00:03+00:00 Event1' to variable '%lastline'
Hope this helps,
risto
Kontakt Dusan Sovic (<dusan.so...@hotmail.sk>) kirjutas kuupƤeval N, 8.
november 2018 kell 16:11:
> Hello SEC Users,
>
> I using SingleWithSuppress rule to process timestamped input events. I
> want to take action after 2nd event occurrence within 60 seconds.
> Problem what I have is that after second event match, action is taken and
> event ($0) is written to the output but it use timestamp of first received
> event (that one what started correlation operation).
> On the output I would like to see the *timestamp* of the second event or
> more general whole input message of second event as is.
>
> Let me demonstrate this on example:
>
> Config File: ccr.sec
>
> rem=Parse My Event
> type=Single
> ptype=RegExp
> pattern=^\S+ (?<EVENT>\S+)
> varmap=MY_EVENT
> continue=TakeNext
> desc=Parse Event
> action=none
>
> rem=Rule1
> type=SingleWithThreshold
> ptype=Cached
> pattern=MY_EVENT
> desc=Rule1 $+{EVENT}
> action=write - $0
> window=60
> thresh=2
>
> Run sec: sec -conf=./ccr.sec -input=-
>
> Input following line:
> 2018-11-11T00:00:01+00:00 Event1
> 2018-11-11T00:00:02+00:00 Event1
> 2018-11-11T00:00:03+00:00 Event1
>
> Output action:
> Writing event '2018-11-11T00:00:01+00:00 Event1' to file '-'
>
> What I want to achieve / see:
> Writing event '2018-11-11T00:00:02+00:00 Event1' to file '-'
>
> Thanks,
> Dusan
>
>
>
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
