NXLog search
Let's talk Start free
Let's talk Start free

Add information from one event to another.

Tags:
#1 DDGH

Hello!
I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the EventRecordID, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this:

  1. EventID:4663 arrives
  2. If EventID:4660 arrives within 2 seconds and in it EventRecordID greater by 1, then
  3. We drop the ObjectName from the event 4663 into event 4660.
    User guides tell us that the design should be of the form
  <Pair>
    # If TriggerCondition is true, wait Interval seconds for
    # RequiredCondition to be true and then do the Exec. If Interval is
    # 0, there is no window on matching.
    TriggerCondition    $Message =~ /^pair-first/
    RequiredCondition   $Message =~ /^pair-second/
    Interval            30
    Exec                $raw_event = "got pair";
    </Pair>

And

Exec $new_field = 'new field value';

But the problem is that it's absolutely certain that something (or rather everything) is not doing so

<Pair>
    # If TriggerCondition is true, wait Interval seconds for
    # RequiredCondition to be true and then do the Exec. If Interval is
    # 0, there is no window on matching.
    TriggerCondition    $EventID =4663
    RequiredCondition   $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1);  - Here the main problem
    Interval            2
    Exec $FileName = get_prev_event_data("ObjectName");
    </Pair>

I will be very grateful for the help, the hint what to read or examples.

Permalink
#2 b0ti Nxlog ✓ (Last updated )
#1 DDGH
Hello! I've been fighting for a week, but the ideas have ended. When you delete files, Windows generates 2 Events 4663 then 4660. In EventID:4663 there is a file name, in EventID:4660 there is a result. The Marker can use the EventRecordID, which will differ by 1 for these two events. The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660. As far as I understood, the design should be this: EventID:4663 arrives If EventID:4660 arrives within 2 seconds and in it EventRecordID greater by 1, then We drop the ObjectName from the event 4663 into event 4660. User guides tell us that the design should be of the form <Pair> # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $Message =~ /^pair-first/ RequiredCondition $Message =~ /^pair-second/ Interval 30 Exec $raw_event = "got pair"; </Pair> And Exec $new_field = 'new field value'; But the problem is that it's absolutely certain that something (or rather everything) is not doing so <Pair> # If TriggerCondition is true, wait Interval seconds for # RequiredCondition to be true and then do the Exec. If Interval is # 0, there is no window on matching. TriggerCondition $EventID =4663 RequiredCondition $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1); - Here the main problem Interval 2 Exec $FileName = get_prev_event_data("ObjectName"); </Pair> I will be very grateful for the help, the hint what to read or examples.

$EventID = 4663 is an assignment. $EventID == 4663 is a boolean condition check. I think you want to use the latter.

This one is also flawed:

$EventRecordID = get_prev_event_data("EventRecordID" + 1);

The following should be correct:

$EventRecordID == get_prev_event_data("EventRecordID") + 1
Login to see more