Element: create-context
Location
/patterndb/ruleset/actions/action/create-context
Description
OPTIONAL — Creates a new correlation context from the current message and its associated context. This can be used to “split” a context.
Available in AxoSyslog version 3.8 and later.
Attributes
Children
-
message: A container element storing the message that is added to the new context when the action is executed.
-
inherit-mode: This attribute controls which name-value pairs and tags are propagated to the newly generated message.
-
context: AxoSyslog collects every name-value pair from each message stored in the context, and includes them in the generated message. If a name-value pair appears in multiple messages of the context, the value in the latest message will be used. Note that tags are not merged, the generated message will inherit the tags assigned to the last message of the context. -
last-message: Only the name-value pairs appearing in the last message are copied. If the context contains only a single message, then it is the message that triggered the action. -
none: An empty message is created, without inheriting any tags or name-value pairs.
For details on the message context, see Correlating log messages using pattern databases and Actions and message correlation. For details on triggering messages, see Triggering actions for identified messages
-
-
Example
The following example creates a new context whenever the rule matches. The new context receives 1000 as ID, and program as scope, and the content set in the <message> element of the
<rule provider='test' id='12' class='violation'>
<patterns>
<pattern>simple-message-with-action-to-create-context</pattern>
</patterns>
<actions>
<action trigger='match'>
<create-context context-id='1000' context-timeout='60' context-scope='program'>
<message inherit-properties='context'>
<values>
<value name='MESSAGE'>context message</value>
</values>
</message>
</create-context>
</action>
</actions>
</rule>