Event Mapping

Discussion:

Event Mapping

chrisv

2012-04-11 19:16:40 UTC

chrisv [http://community.zenoss.org/people/chrisv] created the discussion

"Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/65831#65831

--------------------------------------------------------------
I have an eventclasskey, MSCRMEmail_0 (from windows event log), that I'm trying to create two mappings for such that one will pick up a specific string in the event message and the second will catch all other cases.

I created the original mapping, MSCRMEMAIL_0_0, via the Zenoss event console using the above eventcalsskey and with a sequence number of 1 which will be my catch all mapping. I then created MSCRMEMAIL_0_1, again using the above eventclasskey but with a sequence number of 0, this is my specific message mapping. I've tried using a regex expression, 61042\s-\s.*$, to catch the string and a rule, evt.summary.startswith('#61042'), but neither seems to pick up the event. The example is #61042 - An error occurred while processing the outgoing e-mail message with subject "StyleADVISOR - Early Index Update is now

Regardless of which method I use to catch the event in a mapping the event always ends up mapped to MSCRMEmail_0_0. oddly enopugh both mappings will show the event when I click the events link from the mapping.

FWIW what I want to do is catch the specific text in the event message, becasue the eventclasskey alone is not enough to catch the specific event, so that I can change the event severity which I'm trying to do via the eventclass mapping properties.

I've been over the documentation several times and feel I'm close but cannot see where this is failing to pickup the correct mapping and thus change the event severity.

ChrisV
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65831#65831]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

chrisv

2012-04-11 23:11:44 UTC

Permalink

chrisv [http://community.zenoss.org/people/chrisv] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/65833#65833

--------------------------------------------------------------
I did some testing with another event (that occurs more often and therefore easier to troubleshoot) and found the regex was working as I had understood it would so I'm not sure why this particular mapping is not working correctly. I suspect it may have something to do with the fields in the mapping. Perhaps either the way I named the mappings or one of the other fields.

Regardless, during my testing events that were caught by the specific mapping still showed in the general case mapping which to me is arguably a bug. It seems whatever event filter being applied is happening on the eventclasskey and not the eventclassmapping which is a bit misleading. Either that or I'm braindead... :-/
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65833#65833]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

dpetzel

2012-04-11 23:34:39 UTC

Permalink

dpetzel [http://community.zenoss.org/people/dpetzel] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/65834#65834

--------------------------------------------------------------
I have not done a lot with event mappings, but I'm curious if an event transform wouldnt be a better approach for what you are trying?

If I understand your requirement, the end goal is really nothing more than changing the severity? If that is the case, I believe an event transform might work.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65834#65834]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

jcurry

2012-04-12 12:53:09 UTC

Permalink

jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/65852#65852

--------------------------------------------------------------
Have you pulled my Event Management paper - it may help you with this - http://community.zenoss.org/docs/DOC-3538 http://community.zenoss.org/docs/DOC-3538 .

Fundamentally, the initial match is the eventClassKey.Â If that matches, then, if there is a Rule specified, then it MUST be satisfied.Â If yes, then check any Regex - if that is satisfied then you have a mapping match.Â If the Rule doesn't match then the mapping stops there without checking the regex.

If there is no Rule then the Regex is checked after the eventClassKey and again the mapping applies if the eventClassKey and Regex match.

You obviously understand the sequence numbering idea - the lowest sequence number is checked first.Â Do just check that your sequence numbers are actually what you think they are - I find the GUI a bit quirky here.

In your example above with #61042 - is that number a variable that changes each event??Â You will find some sample regexs in the paper referenced.

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65852#65852]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

chrisv

2012-04-12 20:06:04 UTC

Permalink

chrisv [http://community.zenoss.org/people/chrisv] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/65861#65861

--------------------------------------------------------------
I've poured over the documentation several times and so believe I understand it fairly well. However, I will conceed that the regex I'm using may be the problem but it has passed my tests.

The best way I can describe the #61042 is that it is a sub-event id. That is to say the ntevid is '0' but the application writting the event is putting it's own event id in the message body (as the first part of the message).

I'm trying to make incremental changes to the mapping so i can catch exactly where the problem occurs but unfortunately this particular event that is causing me problems does not happen very often so the process is slow. I'm now at the point of having two identical mappings. Only the name, sequence number, and regex differ. If the specific mapping fails again I'll look at the regex as the culprit, if it passes I'll incrementally make changes to the specific mapping until I figure out what is causing it to fail.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65861#65861]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

dpetzel

2012-04-12 20:44:46 UTC

Permalink

dpetzel [http://community.zenoss.org/people/dpetzel] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/65858#65858

--------------------------------------------------------------
For your testing you can use the UI to generate events with all the same attributes as the one that is sent in. You shouldnt need to "wait" for it to happen for real. Using that should drastically speed up your testing.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/65858#65858]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

chrisv

2012-05-03 15:48:59 UTC

Permalink

chrisv [http://community.zenoss.org/people/chrisv] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/66196#66196

--------------------------------------------------------------

Post by dpetzel
For your testing you can use the UI to generate events with all the same attributes as the one that is sent in. You shouldnt need to "wait" for it to happen for real. Using that should drastically speed up your testing.

Actually, adding events through the UI seems to skip the mapping process. Not sure if it is intended or a result of my larger issue with the event mapping.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66196#66196]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

dpetzel

2012-05-04 02:57:25 UTC

Permalink

dpetzel [http://community.zenoss.org/people/dpetzel] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/66222#66222

--------------------------------------------------------------
Hmm I was not aware of that limation. There is another another utility, zensendevent I believe its called, in the zenoss bin directory. This will generate an event externally. If the UI really skips the mapping, perhaps zensendevent can speed your testing.
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66222#66222]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]

jcurry

2012-05-04 08:29:39 UTC

Permalink

jcurry [http://community.zenoss.org/people/jcurry] created the discussion

"Re: Event Mapping"

To view the discussion, visit: http://community.zenoss.org/message/66224#66224

--------------------------------------------------------------
Creating events via the UI does not skip the mapping process.Â I have used this many times to test simple mappings.Â You certainly cannot specify all the fields you might like, but it dies go through the mapping process.

If you need to test more event attributes than you have access to with UI or zensendevent, then changing zensendevent is not too hard.,

Cheers,
Jane
--------------------------------------------------------------

Reply to this message by replying to this email -or- go to the discussion on Zenoss Community
[http://community.zenoss.org/message/66224#66224]

Start a new discussion in zenoss-users by email
[discussions-community-forums-zenoss--***@community.zenoss.org] -or- at Zenoss Community
[http://community.zenoss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2003]