I am trying to make use of a context to link a past event to a current
event, and then use the content to fire off another rule set and I am
puzzled as to how to assign the value in the context to a %variable . I
am not used to the report() action, and I really don't want to resort to
mining the SEC internals for %main::context_list. May I have some
correction or guidance as to how to proceed?
In the example below, I parse an event message of "XXX Host
Unreachable" and create an incident ticket (INCxxxxx). The ticket
number becomes part of the event stream. Some time later (hours or days
later), the reason for the ticket is gone, so I would like to resolve
the ticket.
type=PairWithWindow
ptype=RegExp
continue=TakeNext
pattern="?(\S+) Host Unreachable
desc=$1 Host Unreachable after 15 minutes
window=900
context=[ CORRELATOR_TICKET && !MOS_$1 ]
action= eval %HostWaitingTicket ( return "Node $1" ) ; \
logonly %s ; \
spawn /swadm/bin/ITSM -operation create \
-short_description "$1: Node Unreachable" \
-comment "The host $1 isnt responding to polls. Please
investigate."
ptype2=RegExp
continue2=TakeNext
pattern2="?$1 Host Reachable
desc2=%1 Host Reachable
action2=logonly %s
type=Single
ptype=RegExp
pattern=Ticket (INC\d+) issued
desc=Created Incident Ticket number $1
action=create TICKET_FOR_%HostWaitingTicket; \
add $1 TICKET_FOR_%HostWatingTicket;
type=Single
ptype=RegExp
pattern=(\S+) Host Reachable
desc=delete ticket for host $1
action= eval %MyTicketNumber ( report TICKET_FOR_$1 /bin/sh ) ;\
logonly Incident ticket %MyTicketNumber : %s ;\
spawn /swadm/bin/ITSM -operation resolve \
-ticket %MyTicketNumber
-notes "The host $1 has recovered. "
Please advise,
Tim Peiffer
--
Tim Peiffer
Network Support Engineer
Office of Information Technology
University of Minnesota/NorthernLights GigaPOP
+1 612 626-7884 (desk)s
------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
