hi Eli,
if you would like to have regular expressions stored in an external file
and load them at startup and restarts, you could use the following ruleset.
The first rule loads patterns from a file when sec is started or has
received HUP or ABRT signal. The rule assumes that each line contains a
regular expression, compiles these expressions and stores them into the
array @plist. The second example rule compares an input line with regular
expression patterns from @plist, producing a match if any of the patterns
matches:
type=Single
ptype=RegExp
pattern=^(SEC_STARTUP|SEC_RESTART|SEC_SOFTRESTART)$
context=SEC_INTERNAL_EVENT
desc=load suppress patterns
action=lcall %o -> ( sub { @plist = (); \
if (!open(FILE, "patterns.txt")) { return 0; } \
my(@lines) = <FILE>; close(FILE); chomp(@lines); \
@plist = map { qr/$_/ } @lines; return scalar(@plist); } ); \
if %o ( logonly %o patterns loaded ) else ( logonly No patterns
loaded )
type=Suppress
ptype=PerlFunc
pattern=sub { foreach $p (@plist) { if ($_[0] =~ $p) { return 1; } } return
0; }
Since both the PerlFunc pattern and regular expressions are compiled before
usage, their evaluation does not involve any extra overhead. In fact, when
comparing the performance of a list of five regular expression patterns
against five Suppress rules on 1 million non-matching input events on my
laptop, I observed an external list being about 10% faster. However, the
actual performance of both approaches depends heavily on input events and
patterns, so I would recommend to benchmark the above ruleset vs Suppress
rules on your log data.
kind regards,
risto
Kontakt Kagan, Eli (<eli.ka...@dxc.com>) kirjutas kuupäeval T, 18.
detsember 2018 kell 19:34:
> Howdy,
>
>
>
> I’d like to have a separate file containing a list of regex patterns to
> suppress. That is, instead of creating a multitude of Suppress events for
> each patter I would like to have a PerlFunc Suppress rule that would use an
> external list. Ideally that list should be loaded at startup.
>
>
>
> Is there a simple way to create something like that and if so what the
> performance impact would be versus generating individual suppress rules
> with a config script?
>
>
>
> Thanks,
>
> Eli
>
>
> DXC Technology Company -- This message is transmitted to you by or on
> behalf of DXC Technology Company or one of its affiliates. It is intended
> exclusively for the addressee. The substance of this message, along with
> any attachments, may contain proprietary, confidential or privileged
> information or information that is otherwise legally exempt from
> disclosure. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient of this message, you are
> not authorized to read, print, retain, copy or disseminate any part of this
> message. If you have received this message in error, please destroy and
> delete all copies and notify the sender by return e-mail. Regardless of
> content, this e-mail shall not operate to bind DXC Technology Company or
> any of its affiliates to any order or other contract unless pursuant to
> explicit written agreement or government initiative expressly permitting
> the use of e-mail for such purpose. --.
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
