Re: Tracking Compound Meta's

[Dan]

It looks like it might have some interesting purposes. But for the most part, I can't think of what you would use it for. I can't think of a single example where SARE could have used this before. Actually, the way I expect to use it is more like: __test [A1 - A3] __test [B1 - B3] __test [C1 - C3] __test [D1 - D3] meta __META_A (__testA1 || __testA2 || __testA3) meta __META_B (__testB1 || __testB2 || __testB3) meta __META_C (__testC1 || __testC2 || __testC3) meta __META_D (__testD1 || __testD2 || __testD3) meta META_AB (__META_A && __META_B)    <- notice the &&s meta META_CD (__META_C && __META_D) meta META_ABC (__META_A && __META_B && __META_C) meta META_ABCD (META_AB && META_CD)  <- not needed, just fun Basically, I'm building a behavior discriminator, using SA in a way it was never intended.  The second layer collects "any given example" of a specific behavior, layer one regex's.  The third layer collects groupings of different layer two's, permutations that profile behavior groupings:  A = ham AB = ham ABC = spam ABCD = spam When all these layers start hitting the scoring layer, things can get pretty confusing.  But in SA, turning off scoring also turns off reporting and not knowing which individual tests combined to produce a single collective hit quickly becomes a liability.  So for example, if ABC turns out to include examples of HAM, but only because B has an entry I would prefer to delete, I can leave ABC catching spam.  But if B has 500 entries, finding the culprit to even examine if I want to kill (say) B314 is next to impossible.  And thats assuming its only a single entry in the same package. If you really really wanted it in the headers, you could open a BZ ticket requesting an enhancement to create a template tag for the subtests. In the meantime, you could create a plugin to do that too. :) Still pretty new to SA, I'm in the middle of building my system and was hoping to find preexisting features I could simply build my configuration around.  If micro weighting (.001) doesn't work, I'll make a feature request after deciding the best way to do what I'm after.  Thinking about it today, my ideal would be: 1) An option to turn off scoring for specific tests WITHOUT turning off its event reporting.  Perhaps a different prefix, like  ++test  instead of  __test. AND 2) A logging system that records EVERY test involved for EVERY message scanned, that also allows me to locate the correct entry (with a text editor) when all I have is the Subject: or From: of a given message. Thanks for your ideas everyone! Dan