I literally just ran into this yesterday. My solution was to use the regex to parse out the important parameters using the (?P<VARIABLE>\S+) tags... (regex would be something along the lines of "end_request: I/O error, dev (?P<device>\S+).*"
Then in the transform section, rewrite the event's summary to be something that doesn't change. such as (and this is pseudocode) evt.summary = "end_request: I/O error on device " + getattr(evt, "device", "unknown") This basically strips the sector infomration out of the message which causes zenoss to not increment the counter and instead create a new event for every sector. Only down side is that you loose the info on which sector was causing the problem. Hope this helps. -trey On Wed, Jan 14, 2009 at 11:33 AM, vincem <[email protected]> wrote: > > Hi > > I have setup syslog forwarding to zenoss which works fine. Created a new > Event Class "StorageErrors" with a mapping to kernel_StorageErrors where I > have defined > > Event Class Key - kernel > Sequence - 1 > Rule - > Regex - end_request ( this is the string I am interested in reporting) > > > The above works fine with event been captured and passed to correct Event > Class > > My question is - how can I filter multiple occurences of the same message to > only create one event. If the Regex is exactly the same each time Zenoss does > this automatically by increasing the count. My problem is that I may get > multiple messages which are not identical but similar ( see below) - I just > want on alert sent out > > Jan 14 08:54:13 testnode kernel: end_request: I/O error, dev sdc, sector > 148955392 > Jan 14 08:54:13 testnode kernel: end_request: I/O error, dev sdc, sector > 148955400 > Jan 14 08:54:13 testnode kernel: end_request: I/O error, dev sdc, sector > 147652864 > Jan 14 08:54:13 testnode kernel: end_request: I/O error, dev sdc, sector > 147652872 > Jan 14 08:54:13 testnode kernel: end_request: I/O error, dev sdc, sector > 8446208 > Jan 14 08:54:13 testnode kernel: end_request: I/O error, dev sdc, sector > 8446216 > > PS > > Is there any way to clear these automatically > > many thanks > > > > > -------------------- m2f -------------------- > > Read this topic online here: > http://forums.zenoss.com/viewtopic.php?p=30042#30042 > > -------------------- m2f -------------------- > > > > _______________________________________________ > zenoss-users mailing list > [email protected] > http://lists.zenoss.org/mailman/listinfo/zenoss-users _______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
