[Simple-evcorr-users] using variables learned in rule A in rule B's perlfunc: possible?

[Michael H. <mic...@wi...>]

Hi-

I'm sorry to ask what is probably very basic question, but I have struggling with this for awhile (I have perused the manual a lot and the mailing list a bit) and could use some guidance.

The short version is: is there a way to take the results of a pattern match in one rule and use that value in a perlfunc in another?

More verbosely, at this time I use SEC for network syslog exclusion; nothing fancy.  I would like to start using Jump rules based on hostname.  Hostname is derived from the incoming log line.

I thought I would be clever and use a single rule to determine if there was a hostname or not, save it somewhere reusable, and then launch jump rules based on that.

something like

type=Single
ptype=RegExp
pattern=^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (.+?) .+
varmap= hostname=1
desc=hostname
action=assign %r $+{hostname}
continue=TakeNext

type=Jump
ptype=perlfunc
pattern=sub { return 1 if $+{hostname} =~ m/^first-use-case/ }
cfset=rules-for-this-match-1

type=Jump
ptype=perlfunc
pattern=sub { return 1 if $+{hostname} =~ m/^second-use-case/ }
cfset=rules-for-this-match-2

I know this doesn't work.  I understand that '%r' is not a perl hash, and is an action list variable, and that $+{hostname} is undef inside the type=Jump rule perlfunc.  I also know that %r is being set correctly, I see it in "variables -> r" if I do SIGUSR1 dump.

So is it possible stash away a variable from one rule and use it in a Jump rule like above?  I can work around this easily by using a single rule like below, but if I have for example 20 jump permutations, it seems quite redundant to keep recalculating the hostname for comparison.

type=Jump
ptype=perlfunc
pattern=sub { return 0 unless (defined($_[1]) && $_[0] =~ /^\w+\s+[0-9]+ [0-9]+:[0-9]+:[0-9]+ (.+?) .+/); return 1 if $1 =~ m/^first-use-case/}
cfset=all-rules

Thanks in advance,
-Michael