Thanks for your response. It makes a lot more sense and you are on the
right lines I think. There is other code around this but it does not
bare much relevance:
def scanEVTWithSource(file, source)
@alerts = []
@evtLogArray = []
begin
#read the contents of the event logs files
evtLog = EventLog.open_backup(file, source)
#put data into an array
@evtLogArray = evtLog.read.sort { |a, b| (a.event_id <=>
b.event_id).nonzero? || (a.time_written <=> b.time_written)}
#event log data collected
evtLog.close
if evtLogArray.length == 0
return
end
#failed logons where more than 10 have occurred in a day
if event.event_id == 529
eventdateID = []
#assign all time written values to the eventsbydate array
eventsbydate = "#{event.time_written}"
eventdateID.push eventsbydate.gsub(/\s/, '')[0..7] +
eventsbydate[26…30]
counts = Hash.new(0)
eventdateID.each {|d| counts[d] += 1}
counts.each do |id,cnt|
@alerts.push(“#{event.event_id} #{@tab} #{event.time_written}
#{@tab} #{event.event_type} #{@tab} #{type}”) if cnt >= 5
end
end
end
I will explain this.
The scanEVTWithSource(file, source) - takes data and arguements from two
other methods which assist with the reading of the log files.
@evtLogArray - an array full of log data which is inspected in structs
The rest we no about, but for example event.event_id is a struct to
inspect the the ID field.
Hope this helps and thank you very much for your help. You are right
eventsbydate is a string based on data from the event.time_written
struct using GSUB etc to chomp it down into the values you have already
seen.
Regards
Jesús Gabriel y Galán wrote:
On Tue, Feb 3, 2009 at 7:34 PM, Stuart C.
[email protected] wrote:
Thanks for getting back to me.
Its the next step counts.each do |id,cnt| which is the problem.
Sorry, but can you post a complete executable piece of code we can use
to reproduce the problem?
You have this:
eventdateID.push eventsbydate.gsub(/\s/, ‘’)[0…7] +
eventsbydate[26…30]
but what is eventdateID? Maybe you have an earlier line of code like
eventdateID = [].
I’d like to see the complete picture. Also, what is eventsbydate?
By the way, now I’m realizing that eventsbydate might be a string, so
how can eventdateID contain more than 1 entry at all?
If that’s true, then
eventsbydate.gsub(/\s/, ‘’)[0…7] + eventsbydate[26…30]
is also a string. So you are pushing a single string into eventdateID,
so when you later iterate you only get one iteration. Perhaps you have
a loop around the piece of code you showed? If that’s the case, then
it makes sense that you never get more than 1 count per entry, because
you are creating the hash every time. So, I think it would be easier
if you pasted the complete program.
If each element in the array eventDateID is stored in the hash as a
different key (which is what seems to be happening), maybe what is
inside the array are not strings, but another class that has a
different implementation of eql?.
Not sure what you mean by this.
It was another hipothesis, but I think you can forget about it, since
I’m pretty sure now that with the piece of code you showed you are
only ever pushing one string into eventdateID.
Jesus.