The warning "take more time for nas to run" is situational. it depends on the hardware you are running on and what your alarm volume is.
If you are doing one alarm a second and you introduce this, it's one more string compare per second more than nas was doing without the criteria (under the presumption that adding dns_response to the profile criteria is the change you are talking about.) Consider further that string compare is really a series of integer compares and those happen extremely quickly. As such you are probably going to be unable to measure any impact of this change.
Change that to a case where you have added this compare to each of 100 profiles and you do a thousand messages a second and now that simple comparison is multiplied by a 100,000 and that you might see. But then the question is if that slowdown is worth the cost? And if it's a business need then it likely will be.
And to go theoretical on why there's this perception of slowing nas down, I personally think most of that stems from badly written criteria - /.*failure.*/ can run hundreds of times slower than /.*?failure.*/ - note the introduction of ? for force lazy matching on the *.
Original Message:
Sent: 08-16-2021 08:19 AM
From: Nijin K
Subject: way to edit suppression key
does it take more time for nas to run the rule with script below is the settings
Original Message:
Sent: 08-16-2021 08:15 AM
From: Nijin K
Subject: way to edit suppression key
string_match = string.match(event.message,"/failed/")
if string_match ~= nil then
event.custom_3 = dns_lookup_failed
end
return event
still not working any suggestion below is the message in alarm
DNS lookup of 'Domain' failed (type 'mx') on nameserver 'server name' for profile 'profile name'
Original Message:
Sent: 08-16-2021 07:38 AM
From: Luc Christiaens
Subject: way to edit suppression key
Field name is: event.custom_3 = "dns_lookup_failed"
try coding the string_match like proposed by Garin ("/failed/")
Original Message:
Sent: 08-16-2021 06:43 AM
From: Nijin K
Subject: way to edit suppression key
i came up with below lines
string_match = string.match(event.message,{failed})
if string_match ~= nil then
custom3 = dns_lookup_failed
end
return event
but it is not working the alarm is coming as it was earlier
Original Message:
Sent: 08-16-2021 05:32 AM
From: Nijin K
Subject: way to edit suppression key
if i want to edit custom 1 or 2 what would be the command that i would use
Original Message:
Sent: 08-13-2021 04:49 PM
From: Nijin K
Subject: way to edit suppression key
hi garin
this is how we have been co-relating alarms to application to ticket queue and to severity so normally suppression has been different for different alarms or easily editable but for these probes its not but there so maybe ya if it harm nimsoft functionality we can use custom column
Original Message:
Sent: 08-13-2021 12:51 PM
From: Garin Walsh
Subject: way to edit suppression key
With this code, I usually do something like:
if ( event == nil ) then
// Supply test data
event = {}
event.prid = 'dns_response'
event.message = 'This is a sample message'
event.supp_key = 'testsuppkey'
end
probe = event.prid
if probe == 'dns_response' then
supp_key = string.match(event.message, "/failed/")
if supp_key ~= nil then
event.supp_key = supp_key
end
end
return event
That will get you past the testing part of stuff and you can use the same code in production.
Keith is correct about setting the filters but keep in mind that nas will run only one preprocessing script and so if you start doing preprocessing you will likely wind up rolling the scripts together into one.
But to go back to your original problem statement, supp_key is used to tie individual messages together - if you start changing and using supp_key for your own purposes, you'll likely wind up breaking other function in UIM - like being able to match the close message to an existing alarm.
Is there a reason you are not using the custom_1-5 fields to put your own data into? The same prerocessing logic can be applied but it would leave the supp_key alone
Original Message:
Sent: 08-13-2021 12:03 PM
From: Nijin K
Subject: way to edit suppression key
hi all
i tried to perform this for dns_response probe with string being matched in event message is failed i came up with something like this
probe = event.prid
if probe == 'dns_response' then
supp_key = string.match(event.message, "/failed/")
if supp_key ~= nil then
event.supp_key = supp_key
end
end
return event
but i am getting error
Error in line 1: attempt to index global 'event' (a nil value)
what am i doing wrong
Original Message:
Sent: 08-13-2021 10:38 AM
From: Garin Walsh
Subject: way to edit suppression key
The Google search hits are pretty good for Lua - drop "Lua how to match pattern string" into the search bar and you'll get plenty of responses.
https://www.lua.org/pil/20.2.html
is the #1 hit and is full of examples.
Original Message:
Sent: 08-13-2021 06:44 AM
From: Nijin K
Subject: way to edit suppression key
yes keith
I also reached the same lua now i am just confused on how to match a particular string or word from message text so that i put the above condition after the probe and word has from message has been matched
Original Message:
Sent: 08-12-2021 01:04 PM
From: Keith Kruepke
Subject: way to edit suppression key
So for your specific case, here is the easy part of the Lua script:
event.supp_key = "new_custom_suppression_key"return event
The (possibly) hard part is making sure the script uses the right value as the new suppression key.
Original Message:
Sent: 08-12-2021 04:28 AM
From: Luc Christiaens
Subject: way to edit suppression key
from techdocs:
The event table is placed into the Lua context prior to executing the "custom" pre-processing rule. You may alter (launder) the event by setting these fields: message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 through _5, supp_key, and origin. The following fields are present for the script to use:
.source - source of the alarm (typically ip-address)
.hostname - resolved name (robotname or ip-address to name resolution)
.level - severity level (0-5)
.sid - subsystem identification.
.message - alarm message text.
.origin - origin of the alarm (stamped by nearest hub, or in some cases the robot.)
.domain - name of originating domain.
.robot - name of the sending robot.
.hub - name of the nearest hub to the sending robot.
.prid - name of probe issuing the alarm.
.user_tag1 - user tag 1 (as set by robot).
.user_tag2 - user tag 2 (as set by robot).
.supp_key - suppression identification key.
.visible - flag for visibility (true = visible)
The script is expected to return the event (modified or not) or nil. A nil indicates that the event is to be skipped.
Small example to set a probe value if probe name is not filled in
-----------------------------------------
-- in case there is NO probe name
if event.prid == nil then
event.prid = "no_probe"
end
-- update event
return event
------------------------------------------