Suppressed - Event Correlator - Page 1 | Log collection solutions

#1 cps86 6 years ago

Hello

I have a question about Suppressed in pm_evcorr.

Having following example from official documentation:

<Input in>
    Module	im_file
    File	"/tmp/testfile"
    SavePos	FALSE
    ReadFromLast FALSE
    Exec	if ($raw_event =~ /^(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d) (.+)/) {  \
		$EventTime = parsedate($1);                                   \
		$Message = $2;                                                \
		$raw_event = $Message;                                        \
	}
</Input>
<Input internal>
    Module	im_internal
    Exec	$raw_event = $Message;
    Exec	$EventTime = 2010-01-01 00:01:00;
</Input>
<Output out>
    Module	om_file
    File	'/tmp/output'
</Output>
<Processor evcorr>
    Module	   pm_evcorr
    TimeField	   EventTime
    <Suppressed>
		# match input event and execute an action list, but ignore the following
    	# matching events for the next t seconds.
		Condition  $Message =~ /^suppressed/
		Interval   30
		Exec	   $raw_event = "suppressing..";
    </Suppressed>
	<Simple>
		Exec	   if $Message =~ /^simple/ $raw_event = "got simple";
    </Simple>   
</Processor>
<Route 1>
    Path	in, internal => evcorr => out
</Route>

Wrote following logs into the file: [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:44 suppressed" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:47 simple" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:49 simple" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:07:00 suppressed" >> testfile

In output I got: suppressing.. got simple got simple suppressed

Suppressing condition worked. But I thought that will stop processing all subsequent log entries. And it's not. Why the Simple condition is still matched?

Permalink

#2 b0ti Nxlog ✓ 6 years ago

#1 cps86

Hello I have a question about Suppressed in pm_evcorr. Having following example from official documentation: <Input in> Module im_file File "/tmp/testfile" SavePos FALSE ReadFromLast FALSE Exec if ($raw_event =~ /^(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d) (.+)/) { \ $EventTime = parsedate($1); \ $Message = $2; \ $raw_event = $Message; \ } </Input> <Input internal> Module im_internal Exec $raw_event = $Message; Exec $EventTime = 2010-01-01 00:01:00; </Input> <Output out> Module om_file File '/tmp/output' </Output> <Processor evcorr> Module pm_evcorr TimeField EventTime <Suppressed> # match input event and execute an action list, but ignore the following # matching events for the next t seconds. Condition $Message =~ /^suppressed/ Interval 30 Exec $raw_event = "suppressing.."; </Suppressed> <Simple> Exec if $Message =~ /^simple/ $raw_event = "got simple"; </Simple> </Processor> <Route 1> Path in, internal => evcorr => out </Route> Wrote following logs into the file: [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:44 suppressed" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:47 simple" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:06:49 simple" >> testfile [root@server:[DEV] /tmp]# echo "2017-12-01 13:07:00 suppressed" >> testfile In output I got: suppressing.. got simple got simple suppressed Suppressing condition worked. But I thought that will stop processing all subsequent log entries. And it's not. Why the Simple condition is still matched?

I think the <Suppressed> rule only prevents the evaluation of the Exec statements when suppression kicks in.

The following would probably do what you need If you add $do_not_drop = TRUE; to your suppression rule and then use an additional Simple rule like this:

<Simple>
  Exec if $Message =~ /^suppressed/ and not defined $do_not_drop drop(); 
</Simple>