Jason or Anyone,
Ok, now that that makes sense, do you know how the "dedupid" is
determined? It looks like(at least for this event) this event has the
dedupid as "device||eventClass||severity|summary".
/I attached the fields and details tabs of the event to this email so
you can see the entire event./
But, where is the dedupid field set? In order for this alert to come
across not Unknown, i created an Event Mapping as
/Events/Net/Netrake/postAlarm(Netrake is the device it came from, which
is why i made a Event Class called /Net/Netrake).
Under this Event Mapping, i have no Rules/Regex or Transforms so i am
wondering where i need to go to define or break apart the deduplication.
I am assuming that in the Rules field i may have to do something like
"evt.dedupid=device||eventClass|severity" or something like that if i
wanted to be less general on this alert so i would get all specific
alerts for all events coming from that device with the same eventClass
and that have the same severity. If i try this, and click save, it
turns the text red. So I'm guessing that wont work.
Is my logic correct and i just need to get my syntax correct?
Any help would be greatly appreciated.
-Daniel
Daniel McKinney wrote:
Jason,
Thanks very kindly. I think i understand it better now. I
implemented scenario #2 for my second question and i think its
working. My up events are being set to green and my down events are
being marked as red. I still need to do some testing to see if the
green event will clear the red event though.
Thanks again,
-Daniel
Jason Stevens wrote:
Daniel,
<clip>
Which is great. And i can even understand this by looking at the
/Events/Net/Cisco/LINK-3-UPDOWN class and looking at the Regex field
and it displays the following:
Interface (?P<component>\S+), changed state to (up|down)
So I have a couple of specific scenarios to ask about.
1) I click on an "Interface FastEthernet0/8, changed state to down"
event and look at the eventClassKey and it states LINK-3-UPDOWN.
* I go look at that Class Mapping and it shows the text above as
the Regex line.
* How did the component column of the event get propagated with
the FastEthernet0/8? Did it take the event and extract the
Interface portion and stick it into the component field?
* Or, did some other rules processing i cant find take the
Interface portion of the alert and fill in the component column?
The component value for the event was slurped out of the regex you
mentioned above. The (?P<component>\S+) is an example of the
python-specific named group syntax. Basically it lets you assign a
name to part of the matched text. In zenoss event mapping regex
fields you can use this syntax to assign values to event fields.
2) Second part is, the "changed to state down" and "changed to state
up" events both come in as as a severity of Major(orange). I would
like to make the up events a severity of Clear(green). And the best
situation would be to have the green event clear the orange event,
but i will work in stages.
* Is there any control as to what eventClassKey an event comes
across as?
* If there is not, if all of my link events are coming across as
LINK-3-UPDOWN, how can i peel it apart to make the up events a
severity of green and keep the down events an orange severity?
I don't think there's any easy way to control which eventClassKey the
event comes in as, but event mappings should allow you to accomplish
what you want here. There are a couple ways of doing what you want:
1) Use at event mapping to identify the "state up" events, set them
to the same event class as the "state down" events and set the
severity to 0 (clear.)
or
2) Have "state up" and "state down" come in as different event
classes. Use the zEventClearClasses property of the "state down"
event class to specify that it is cleared by the "state up" event class.
In either case you should end up with the "state down" events being
cleared by the "state up" events.
If you run into problems then post details (eventKey, msg, etc) of
the two types of events and we can probably help you out.
-jason
------------------------------------------------------------------------
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
------------------------------------------------------------------------
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
dedupid STG-DE1||/Net/Netrake||3|snmp trap postAlarm from STG-DE1
evid 0a35b39e352511269fffe0b4
device STG-DE1
component
eventClass /Net/Netrake
eventKey
summary snmp trap postAlarm from STG-DE1
message
snmp trap postAlarm from STG-DE1
severity 3
eventState 0
eventClassKey postAlarm
eventGroup trap
stateChange 2007/04/03 09:42:43.000
firstTime 2007/04/02 15:30:49.809
lastTime 2007/04/03 09:42:43.773
count 1222
prodState 1000
suppid
manager netcool1
agent zentrap
DeviceClass /Network/Session Border Controller
Location
Systems |/Staging
DeviceGroups |
ipAddress 192.168.226.120
facility unknown
priority -1
ntevid 0
ownerid
clearid
DevicePriority 3
eventClassMapping
acitveAlarmReportingSource 1
activeAlarmAdditionalInfo 0MB remaining
activeAlarmCategory 2
activeAlarmDevType 1
activeAlarmDisplayString SDR Allocated Disk Space
activeAlarmEventFlag 1
activeAlarmId 144
activeAlarmOccurances 516
activeAlarmPortNum -1
activeAlarmServiceAffecting 1
activeAlarmSeverity 1
activeAlarmSlotNum 1
activeAlarmSubType 0
activeAlarmSysUpTime 888678508
activeAlarmTimeStamp 2007-04-02,19:30:49:00.0,+00:00
activeAlarmType 9435
snmpTrapOID .1.3.6.1.4.1.10950.1.1.3.3
sysUpTimeInstance 701429486
_______________________________________________
zenoss-users mailing list
[email protected]
http://lists.zenoss.org/mailman/listinfo/zenoss-users
