DX NetOps

Hi all,

I seem to be in a dead-end here. The customer would like to monitor Unix/Linux system log files (e.g. /var/log/messages).

I need to set up the Event Variable Discriminator correctly to prevent duplicate alarms, but I came across the following challenge:

1. If Event variable discriminator is monitor index, I won’t get alarms for the same error but different HW part (suppose the regexp is setup to match "I/O error" on drives – If an alarm exists for sda0 no new alarm will be generated for sda1)
2. If Event variable discriminator is matched text:
   • the /var/log/messages contains a timestamp on every line, so the matched text will never be the same
   • now consider if a HW error repeats every 1 minute – I get every minute a new alarm (because of the different timestamp in matched text/line), until the HW error is resolved (e.g. the supplier has 8hr SLA on HW error fix – that’s a lot of alarms :O )

I was going through the Spectrum Event Configuration User Guide but I didn't find the answer for my following question:

Is it possible to create some kind of event rule which would get rid of the timestamp in "Matched Text" variable?

Many thanks

Mike

You would need to use an event procedure to split the log message event variable into multiple event variables. Then you can have a unique variable to use for an event discriminator.

-Rob

Thanks Rob, that's exactly what I had in mind.

Do you by any chance happen to know how the syntax should look like? As I have very little experience with the event rules syntax I need some help here. I tried looking in the doc named Spectrum Event Configuration User Guide but I didn't find the hint there...

Mike

Hello Mike,

Check this

0xffff0000 E 50 P " \                                                         ->Original Event to pull the info from

  CreateEventWithAttributes( \

    { C CURRENT_MODEL }, \

    { H 0xffff0001 }, \                                                          ->New event to be created

    SetEventAttribute( \

      SetEventAttribute( \

        GetEventAttributeList(), \

        { U 2 }, \                                                                       ->Variable to that needs to be split New variable containing the first half of the extracted data

        GetRegexp( \

          GetEventAttribute( { U 1 } ), \                          ->Variable of the original event that needs to be split

          { S \"(.*)/(.*)\" }, \                                ->Regex expression to search for (you may need to escape the “/”, )

          { U 1 } )), \                                              ->Regexp piece to extract (if you use several “(…)” in your regexp, indicates which one you care about): in your example this would extract “one”

      { U 3 }, \                                                                         ->New variable containing the other half of the extracted data

      GetRegexp( \

        GetEventAttribute( { U 1 } ), \                          -> Variable of the original event that needs to be split

        { S \"(.*)/(.*)\" }, \                                            ->Regex expression to search for

        { U 2 } )))"                                                         -> Regexp piece to extract (if you use several “(…)” in your regexp, indicates which one you care about): in your example this would extract “two”

HTH

Kalyan

Kalyan,

thank you very much, that's exactly what I was looking for and it seems to work this way!

Mike