My bad ,sent the wrong rule. Here is the correct SEC rule that I have in production.
type=pairWithWindow ptype=regexp continue=dontcont pattern=Date=.* ,Device=(\S+) ,Msg=.*%((SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).*power supply (\d): failed.*) desc=$1 $3 $4 action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on ptype2=regexp pattern2=Date=.* ,Device=($1) ,Msg=.*((%SATCTRL-FEX1[0-9][0-9]-2-SOHMS_DIAG_ERROR:).* Recovered: .* supply (\d): failed) desc2=logonly action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> /local/mnt/workspace/logs/sec-logs/sec-messages.log window=3600 Thanks, Shashi From: Risto Vaarandi [mailto:risto.vaara...@gmail.com] Sent: Thursday, September 08, 2016 12:31 PM To: Ganji, Shashirekha Yadav <shash...@qualcomm.com> Cc: simple-evcorr-users@lists.sourceforge.net Subject: Re: Pairwithwindow rule hi Shashi, there appears to be a subtle difference between the regular expression and the event you are trying to match. When you take a closer look at the regular expression, you will notice that it contains the following fragment: %SATCTRL-FEX101-2 However, the event from the log file contains the substring "%SATCTRL-FEX107-2" which doesn't match the above construct. To fix the regular expression and make it work for both 101 and 107, you could use the construct 10[17] or perhaps just \d+. kind regards, risto 2016-09-08 22:11 GMT+03:00 Ganji, Shashirekha Yadav <shash...@qualcomm.com<mailto:shash...@qualcomm.com>>: Hi All, Is there any problem in this rule?? Rule was all working good but suddenly stopped working by not matching the first pattern. ## Rule: 30(Nexus Extender power supply) Environment alert regarding power supply failure `It will suppress alarm if power supply recovers within an hour type=pairWithWindow ptype=regexp continue=dontcont pattern=Date=.* ,Device=(\S+) ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).*power supply (\d): failed) desc=$1 $3 $4 action=shellcmd perl /etc/syslog-config/send2mom/sec_s2m_v2.pl<http://sec_s2m_v2.pl> --targetparent $1 --target $4 --notifying_group NETRS --severity MAJOR --kpi Network --pattern "$3" --log "$2" --source SEC --sendevent on ptype2=regexp pattern2=Date=.* ,Device=($1) ,Msg=.*((%SATCTRL-FEX101-2-SOHMS_DIAG_ERROR:).* Recovered: .* supply (\d): failed) desc2=logonly action2=shellcmd echo `date` "Source=SEC, KpiName=Network, Severity=-, Action=Suppress, Device=$1, Pattern=$3, Notify Group=-, Log $0" >> /local/mnt/workspace/logs/sec-logs/sec-messages.log window=3600 To be matched data: Date=Sep 8 08:12:30 ,Device=san-w170-dcr-sw-02-mgmt ,Msg=2016 Sep 8 08:12:30 PDT: %SATCTRL-FEX107-2-SOHMS_DIAG_ERROR: FEX-107 System minor alarm on power supply 2: failed Thanks, SHashi
------------------------------------------------------------------------------
_______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
