[Simple-evcorr-users] How to introduce new match variable

Wed, 19 Feb 2020 04:49:11 -0800 

Hi SEC users,

I want to create / introduce new match variable in my rules.
I search forum posts and found this:

"Once you have cached match results, they become visible across all rules
and you can modify them. In order to do this, you have to use the :>
context expression operator for getting a reference to the set of cached
match variables. Once you have the reference, you can not only modify
individual variables, but you can also delete existing match variables, and
even introduce new variables (for example, $_[0]->{"newvariable"} = 1 would
set the variable $+{newvariable} to 1)."

I try to add new variable using “context” and :> operator also using “lcall” 
action but no luck.
Any idea how to achieve this?

This is what I have produced so far:

Config file: dusko.sec
----------------------------
rem=Rule 1
type=Single
ptype=RegExp
pattern=^(?<EVENT>\S+) (?<SEVERITY>\S+)$
varmap=MY_EVENT
continue=TakeNext
desc=Parsing Event
action=write - R1: Parsing event: $+{EVENT} $+{SEVERITY}

rem=Rule 2
type=Single
ptype=Cached
pattern=MY_EVENT
context=MY_EVENT :> ( sub { return $_[0]->{"NEW"} = "new_entry"; } )
desc=Introducing new variable
action=lcall %o MY_EVENT -> ( sub { $_[0]->{"NEW"} = "value" } ); \
write - R2: NEW = $+{NEW}

Star sec
-----------
sec -input=- -conf=./dusko.sec -intevents -intcontexts --debug=6

Put this input event:
---------------------------
Event1 Normal

Result into:
----------------
R1: Parsing event: Event1 Normal
R2: NEW =

Also if I want to replace “->” with “:>” for lcall action:
action=lcall %o MY_EVENT :> ( sub { $_[0]->{"NEW"} = "value" } ); \
write - R2: NEW = $+{NEW}

I got compilation error:
Rule in ./dusko.sec at line 10: Eval '{"NEW"} = "value" } )' didn't return a 
code reference: syntax error at (eval 9) line 1, near "} ="
Unmatched right curly bracket at (eval 9) line 1, at end of line
Rule in ./dusko.sec at line 10: Invalid action list ' lcall %o MY_EVENT :> ( 
sub { $_[0]->{"NEW"} = "value" } ); write - R2: NEW = $+{NEW} '

Thanks for any help,
Dusan


_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users






















					Reply via email to