[Lognorm] Libnormalize issue
Champ Clark III [Quadrant]
cclark at quadrantsec.com
Thu Nov 3 07:09:37 CET 2011
>
> The thing to remember is that liblognorm is creating a parse tree, not a set of regex rules to match.
>
> So it's not evaluating the rules one at a time as each line arrives.
>
> Instead it's evaluating them all at the same time.
>
> It's essentially creating a mini program where it looks at the first character of the input and says 'this character means that it could match this set of rules, but not this other set', then it looks at the next character and says 'of the rules that were possible after the last step, this set is still possible' and repeats this until there is only one rule left in the 'possible' set. Then it goes through that rule to assign values to variables.
>
> This process makes it so that it takes very close to the same amount of time to evaluate a large number of rules as a small number of rules.
David,
Thanks for the response. Sagan has been using liblognorm for a while, but you've summed up how it works very well. Actually,
it even helped me! I think I'll archive your response for future Sagan/liblognorm questions that come up on our mailing list. Keep it up, awesome work....
Champ Clark III
(office) 904.253.7856
(mobile) 850.443.2440
(SOC) 800.538.9357 ext 101
cclark at quadrantsec.com
www.quadrantsec.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111103/15aaab76/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quadrant.png
Type: image/png
Size: 17273 bytes
Desc: not available
URL: <http://lists.adiscon.net/pipermail/lognorm/attachments/20111103/15aaab76/attachment-0001.png>
More information about the Lognorm
mailing list