DX Unified Infrastructure Management

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

This list is coming from the original Nimsoft documentation, and in my experience this is in most cases correct.
Original Message:
Sent: 09-17-2020 04:38 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

Now I'm thinking that this will not be a solution to our problem. I have checked another customers evironment where we have similar implementation but we are using snmptd to create alarms which have different source and hostname. Those alarms also have primary hub robot name in their event.robot value but they are mapped correctly to retrospective inventory items.

Does anyone know how alarms are mapped to the inventory items. Which criteria must be complied to alarm be successfully mapped?---------------


This is example which works.



Original Message:
Sent: 09-17-2020 04:43 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

This list is coming from the original Nimsoft documentation, and in my experience this is in most cases correct.
Original Message:
Sent: 09-17-2020 04:38 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

A possibility is having the correct dev_id in the alarm.  This can be added/modified via alarm_enrichment rules that will add the dev_id for probes that generates alarms with a different source. (like net_connect or logmon)
Original Message:
Sent: 09-17-2020 06:22 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Now I'm thinking that this will not be a solution to our problem. I have checked another customers evironment where we have similar implementation but we are using snmptd to create alarms which have different source and hostname. Those alarms also have primary hub robot name in their event.robot value but they are mapped correctly to retrospective inventory items.

Does anyone know how alarms are mapped to the inventory items. Which criteria must be complied to alarm be successfully mapped?---------------


This is example which works.

And this one which is similar doesn't

Original Message:
Sent: 09-17-2020 04:43 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

This list is coming from the original Nimsoft documentation, and in my experience this is in most cases correct.
Original Message:
Sent: 09-17-2020 04:38 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

Where to collect dev_id, there is no dev_id in cm_computer_system table, and in cm_device there is multiple rows for same name entry.


Original Message:
Sent: 09-17-2020 07:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

A possibility is having the correct dev_id in the alarm.  This can be added/modified via alarm_enrichment rules that will add the dev_id for probes that generates alarms with a different source. (like net_connect or logmon)
Original Message:
Sent: 09-17-2020 06:22 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Now I'm thinking that this will not be a solution to our problem. I have checked another customers evironment where we have similar implementation but we are using snmptd to create alarms which have different source and hostname. Those alarms also have primary hub robot name in their event.robot value but they are mapped correctly to retrospective inventory items.

Does anyone know how alarms are mapped to the inventory items. Which criteria must be complied to alarm be successfully mapped?---------------


This is example which works.

And this one which is similar doesn't

Original Message:
Sent: 09-17-2020 04:43 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

This list is coming from the original Nimsoft documentation, and in my experience this is in most cases correct.
Original Message:
Sent: 09-17-2020 04:38 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

I use: select dev_id, dev_name from cm_device with(nolock) where probe_name is not null
Original Message:
Sent: 09-17-2020 08:08 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Where to collect dev_id, there is no dev_id in cm_computer_system table, and in cm_device there is multiple rows for same name entry.

Original Message:
Sent: 09-17-2020 07:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

A possibility is having the correct dev_id in the alarm.  This can be added/modified via alarm_enrichment rules that will add the dev_id for probes that generates alarms with a different source. (like net_connect or logmon)
Original Message:
Sent: 09-17-2020 06:22 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Now I'm thinking that this will not be a solution to our problem. I have checked another customers evironment where we have similar implementation but we are using snmptd to create alarms which have different source and hostname. Those alarms also have primary hub robot name in their event.robot value but they are mapped correctly to retrospective inventory items.

Does anyone know how alarms are mapped to the inventory items. Which criteria must be complied to alarm be successfully mapped?---------------


This is example which works.

And this one which is similar doesn't

Original Message:
Sent: 09-17-2020 04:43 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

This list is coming from the original Nimsoft documentation, and in my experience this is in most cases correct.
Original Message:
Sent: 09-17-2020 04:38 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

Example nas.cfg piece needed for alarm_enrichment (in a test environment) to set the correct dev_id for alarms limited to certain probe names:
- dev_id1 is based on the robot name
- dev_id2 is based on the source
(the overwrite for custom2/3 is only debug info)
Original Message:
Sent: 09-17-2020 08:12 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I use: select dev_id, dev_name from cm_device with(nolock) where probe_name is not null
Original Message:
Sent: 09-17-2020 08:08 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Where to collect dev_id, there is no dev_id in cm_computer_system table, and in cm_device there is multiple rows for same name entry.

Original Message:
Sent: 09-17-2020 07:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

A possibility is having the correct dev_id in the alarm.  This can be added/modified via alarm_enrichment rules that will add the dev_id for probes that generates alarms with a different source. (like net_connect or logmon)
Original Message:
Sent: 09-17-2020 06:22 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Now I'm thinking that this will not be a solution to our problem. I have checked another customers evironment where we have similar implementation but we are using snmptd to create alarms which have different source and hostname. Those alarms also have primary hub robot name in their event.robot value but they are mapped correctly to retrospective inventory items.

Does anyone know how alarms are mapped to the inventory items. Which criteria must be complied to alarm be successfully mapped?---------------


This is example which works.

And this one which is similar doesn't

Original Message:
Sent: 09-17-2020 04:43 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

This list is coming from the original Nimsoft documentation, and in my experience this is in most cases correct.
Original Message:
Sent: 09-17-2020 04:38 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this is stated by documentation, but im am seeking something ultra custom. :)
Original Message:
Sent: 09-17-2020 04:34 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

I think you can only alter the following fields:
message, level, sid, source, hostname, user_tag1, user_tag2, visible, custom_1 to custom_5, supp_key and origin
Original Message:
Sent: 09-17-2020 03:52 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Hello, 

i have a question about removing robot value from the event.robot variable.

This is the use case scenario:

We are using logmon probe which extracts hostname and message from the log. So we are using variable defined in logmon to use as source in alarm. With that we have a alarm which has correct hostname and source but because its collected via logmon which is on the robot we receive event.robot variable with hostname of robot and that results with wrong mapping of alarm. Alarm is mapped on robot which monitor log, not hostname (source) of alarm.

I have tried to use pre-processing with lua script to remove robot name:

event.robot = ""
return event

But nothing happens. According to the documentation this is not supported.

After that i have tried to use alarm enrichment

enricher should remove robot name and place source name.

SELECT name FROM CM_COMPUTER_SYSTEM where name =?

source=[cmdb.name]

And this also do not help.

Is this even possible?

Should i do it maybe directly in database using lua and preprocesing? What would be the consequences of that?

Thank you

Regards

Mario

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X

The probe name in cm_device is of no importance for the result.  The probe name in the alarm_enrichment rule is against the probe that generates the alarm
Original Message:
Sent: 09-17-2020 08:21 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X

You didnt get me.

Query should look like this

query = select dev_id, dev_name from cm_device with(nolock) where probe_name='logmon' and dev_name=?

But there is no logmon in output of this query.
Original Message:
Sent: 09-17-2020 08:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

The probe name in cm_device is of no importance for the result.  The probe name in the alarm_enrichment rule is against the probe that generates the alarm
Original Message:
Sent: 09-17-2020 08:21 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X

Luc, thank you for the help. It's working.

Do you have this issue in UMP, it doesn't update the icon



Regards

Mario
Original Message:
Sent: 09-17-2020 08:42 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

You didnt get me.

Query should look like this

query = select dev_id, dev_name from cm_device with(nolock) where probe_name='logmon' and dev_name=?

But there is no logmon in output of this query.

Original Message:
Sent: 09-17-2020 08:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

The probe name in cm_device is of no importance for the result.  The probe name in the alarm_enrichment rule is against the probe that generates the alarm
Original Message:
Sent: 09-17-2020 08:21 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X

What icon do you expect?
Is this host discovered? What are the values returned from discovery?
Original Message:
Sent: 09-17-2020 09:10 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, thank you for the help. It's working.

Do you have this issue in UMP, it doesn't update the icon

Regards

Mario
Original Message:
Sent: 09-17-2020 08:42 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

You didnt get me.

Query should look like this

query = select dev_id, dev_name from cm_device with(nolock) where probe_name='logmon' and dev_name=?

But there is no logmon in output of this query.

Original Message:
Sent: 09-17-2020 08:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

The probe name in cm_device is of no importance for the result.  The probe name in the alarm_enrichment rule is against the probe that generates the alarm
Original Message:
Sent: 09-17-2020 08:21 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X

Luc, please check captures which were attached to my comments. It wasn't dicovery, it was import.
Original Message:
Sent: 09-17-2020 09:51 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

What icon do you expect?
Is this host discovered? What are the values returned from discovery?
Original Message:
Sent: 09-17-2020 09:10 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, thank you for the help. It's working.

Do you have this issue in UMP, it doesn't update the icon

Regards

Mario
Original Message:
Sent: 09-17-2020 08:42 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

You didnt get me.

Query should look like this

query = select dev_id, dev_name from cm_device with(nolock) where probe_name='logmon' and dev_name=?

But there is no logmon in output of this query.

Original Message:
Sent: 09-17-2020 08:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

The probe name in cm_device is of no importance for the result.  The probe name in the alarm_enrichment rule is against the probe that generates the alarm
Original Message:
Sent: 09-17-2020 08:21 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X

It's better to start a new question/discussion and to ask more detailed what your question/problem is.
- what icon is your problem
- what icon do you expect
- more info what is in the import
Original Message:
Sent: 09-18-2020 06:36 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, please check captures which were attached to my comments. It wasn't dicovery, it was import.
Original Message:
Sent: 09-17-2020 09:51 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

What icon do you expect?
Is this host discovered? What are the values returned from discovery?
Original Message:
Sent: 09-17-2020 09:10 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, thank you for the help. It's working.

Do you have this issue in UMP, it doesn't update the icon

Regards

Mario
Original Message:
Sent: 09-17-2020 08:42 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

You didnt get me.

Query should look like this

query = select dev_id, dev_name from cm_device with(nolock) where probe_name='logmon' and dev_name=?

But there is no logmon in output of this query.

Original Message:
Sent: 09-17-2020 08:36 AM
From: Luc Christiaens
Subject: Removing robot value from event.robot variable??

The probe name in cm_device is of no importance for the result.  The probe name in the alarm_enrichment rule is against the probe that generates the alarm
Original Message:
Sent: 09-17-2020 08:21 AM
From: Mario BOCAN
Subject: Removing robot value from event.robot variable??

Luc, this looks like a solution to my problems, but there is one issue. you can check my last reply and see that there is no logmon probe on query output. A logmon probe is generating alarms :X