Add information from one event to another.
Hello!
I've been fighting for a week, but the ideas have ended.
When you delete files, Windows generates 2 Events 4663 then 4660.
In EventID:4663 there is a file name, in EventID:4660 there is a result.
The Marker can use the EventRecordID, which will differ by 1 for these two events.
The idea with the help pm_evcorr add in EventID:4663 field from EventID:4660.
As far as I understood, the design should be this:
- EventID:4663 arrives
- If EventID:4660 arrives within 2 seconds and in it EventRecordID greater by 1, then
- We drop the ObjectName from the event 4663 into event 4660.
User guides tell us that the design should be of the form
<Pair>
# If TriggerCondition is true, wait Interval seconds for
# RequiredCondition to be true and then do the Exec. If Interval is
# 0, there is no window on matching.
TriggerCondition $Message =~ /^pair-first/
RequiredCondition $Message =~ /^pair-second/
Interval 30
Exec $raw_event = "got pair";
</Pair>
And
Exec $new_field = 'new field value';
But the problem is that it's absolutely certain that something (or rather everything) is not doing so
<Pair>
# If TriggerCondition is true, wait Interval seconds for
# RequiredCondition to be true and then do the Exec. If Interval is
# 0, there is no window on matching.
TriggerCondition $EventID =4663
RequiredCondition $EventID =4660 and $EventRecordID = get_prev_event_data("EventRecordID" + 1); - Here the main problem
Interval 2
Exec $FileName = get_prev_event_data("ObjectName");
</Pair>
I will be very grateful for the help, the hint what to read or examples.
$EventID = 4663 is an assignment. $EventID == 4663 is a boolean condition check. I think you want to use the latter.
This one is also flawed:
$EventRecordID = get_prev_event_data("EventRecordID" + 1);
The following should be correct:
$EventRecordID == get_prev_event_data("EventRecordID") + 1
