hi Eli,
As a followup to your question, the previously posted solution does
not handle one corner case. When only one event appears in the window
of 60 seconds, the EventGroup operation is not able to move the window
forward when it expires, because there are no valid events left to
continue. As a consequence, the 'slide' action would not be executed
in that case, but rather the 'end' action. To handle this corner case,
the 'end' action would need to check if there is just one event in the
EVENTS_$+{host} context and if that is the case, release this event.
That would make the 'end' action more complicated, for example:
end=getsize %n EVENTS_$+{host}; lcall %release %n -> ( sub { $_[0] ==
1 } ); if %release (copy EVENTS_$+{host} %events; cevent
RELEASED_EVENT 0 %events); delete EVENTS_$+{host}
A less convoluted solution would be to handle the scenario with the
event aggregation context itself. For example, you could configure it
to release all aggregated events after its 60 second lifetime expires,
and cancel the release if the context receives three events before
expiration. Here is a relevant example:
type=Single
ptype=RegExp
pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
context=!RELEASED_EVENT && !EVENTS_$+{host}
continue=TakeNext
desc=create an event aggregation context
action=create EVENTS_$+{host} 60 \
( copy EVENTS_$+{host} %events; cevent RELEASED_EVENT 0 %events )
type=Single
ptype=RegExp
pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
context=!RELEASED_EVENT
desc=add events to an aggregation context
action=add EVENTS_$+{host} $0; getsize %n EVENTS_$+{host}; \
lcall %threshold %n -> ( sub { $_[0] == 3 } ); \
if %threshold ( event 0 multiple interfaces up/down on host $+{host}; \
set EVENTS_$+{host} - none )
type=Single
ptype=RegExp
pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
desc=demo rule for printing released events
action=write - Released event: $0
The first rule sets up an event aggregation context EVENTS_$+{host}
with a lifetime of 60 seconds if it does not exist already. On the
expiration of this context, all collected events are released with:
copy EVENTS_$+{host} %events; cevent RELEASED_EVENT 0 %events
The second rule updates the EVENTS_$+{host} context with new events,
checking after each update if three events have been received:
getsize %n EVENTS_$+{host}; lcall %threshold %n -> ( sub { $_[0] == 3 } )
If that is the case, a new event "multiple interfaces up/down on host
$+{host}" is created, and in order to prevent the release of collected
events, the following action is used:
set EVENTS_$+{host} - none
This 'set' action does not modify the expiration time of the
EVENTS_$+{host} context and makes sure that when the context expires,
no action would be executed (action 'none' is no-op).
kind regards,
risto
>
> hi Eli,
>
> you have asked a very interesting question indeed. I hope I have
> understood your goal correctly, and below is a rule which tries to
> address it. The rule relies on the following observation -- if the
> event counting operation does not reach the threshold by the end of
> its window, the window must slide forward. Because we want to release
> the collected events at this particular moment, an action must be
> executed when the window sliding occurs. Unfortunately, the
> SingleWithThreshold rule does not have that functionality, but the
> EventGroup rule (generalization of SingleWithThreshold) does. Here is
> an example which utilizes EventGroup rule and uses the
> 'EVENTS_$+{host}' context for recording all events observed by the
> EventGroup event counting operation for the given host $+{host}:
>
> type=EventGroup
> ptype=RegExp
> pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
> context=!RELEASED_EVENT
> init=create EVENTS_$+{host}
> count=add EVENTS_$+{host} $0
> end=delete EVENTS_$+{host}
> slide=copy EVENTS_$+{host} %events; cevent RELEASED_EVENT 0 %events;
> reset 0; delete EVENTS_$+{host}
> desc=multiple interfaces up/down on host $+{host}
> action=event 0 %s
> window=60
> thresh=3
>
> type=Single
> ptype=RegExp
> pattern=^(?<host>\S+) (?<if>\S+) (?:up|down)$
> desc=demo rule for printing released events
> action=write - Released event: $0
>
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
