Service Operations Insight

Expand all | Collapse all

event policy - 2 search patterns on the mid-tier connector

  • 1.  event policy - 2 search patterns on the mid-tier connector

    Posted 06-06-2016 06:11 AM

    Hi,

    i applied the next 2 search patterns for an event policies on the midtier connector:

    ConnectorConfigMdrProdInstance = 'APM' and matches ( Summary, 'hostnameA' ) for the first policy

    and

    ConnectorConfigMdrProdInstance = 'APM' and not matches ( Summary, 'hostnameA' ) for the second policy.

    to fill in a user attribute.

     

    so if it contains 'Queue Managers' it should put  hostnameA into the user attribute and if it doesnt contain it, it should put  hostnameB into the user attribute.

     

    if i just search the historical events, it works fine.

     

    however, when i apply it, i get always hostnameA in the user attribute for each event regardless it contains 'hostnameA' in the Summary or not.

     

    then if i restart/deply/undeploy/etc the policies while debugging, i start getting always hostnameB (the opposite) in the user attribute for each event. again regardless, if it contains 'hostnameA' in the Summary or not.

     

    so it seems like the first part of the search pattern matches everything and it ignores the second part (but just when it is deployed and not while it is tested).

     

    do you have please any idea why or some tips what to try and how to fix it?

     

    thanks,

    stefan



  • 2.  Re: event policy - 2 search patterns on the mid-tier connector

    Posted 06-10-2016 07:46 AM

    Hi Stefan,

    thanks for the ticket number.

    The same extraction of data from the Summary should be possible with Normailzed Events, making use of an Enrichment Policy and then selecting "Map only".

    This would be a workaround that should work immediately and you dont have to wait for a fix.

    Let me know if you want me to have a look at your policy and how to create a new one.

     

    MichaelBoehm



  • 3.  Re: event policy - 2 search patterns on the mid-tier connector

    Posted 06-10-2016 05:27 AM

    Hi Stefan,

    for clarification:

    • You have two different policies (not one policy with two patterns)?
    • According to your description (you are looking for the word Queue Managers) the last pattern for the policy should be "matches ( Summary, 'Queue Managers' )"
    • f you negate the pattern, you should enclose the part in parenthesis, e.g.  "not ( matches ( Summary, 'Queue Managers' ) )"

     

    I did test this on my server, and all is working as expected.

    Can you please attach the two created policies here, or (as Shaheen recommended), open an issue for further tracking.

     

    MichaelBoehm



  • 4.  Re: event policy - 2 search patterns on the mid-tier connector

    Posted 06-23-2016 06:44 AM

    Hi Stefan,

    please modify the pattern to

         ConnectorConfigMdrProdInstance = 'APM' and not(matches(Summary,'Queue Managers'))

    Note: there are NO blanks in the second part.

    The parser seems to have problems to understand the expression when there are blanks.

    I tested that on my system and all works fine.

     

    MichaelBoehm



  • 5.  Re: event policy - 2 search patterns on the mid-tier connector

    Broadcom Employee
    Posted 06-09-2016 02:54 PM

    Hi Stefan,

    Can you open a case with CA support? When you do so please upload your policy file from CA\SOI\resources\EventManagement\Policies folder.

    Thanks

    Shaheen



  • 6.  Re: event policy - 2 search patterns on the mid-tier connector

    Posted 06-10-2016 06:38 AM

    Hello Michael,

    we are using raw events.

    Condition ConnectorConfigMdrProdInstance = 'APM' and not (matches ( Summary, 'Queue Managers' )) is not working in our environment.

     

    When I checked the XML file in resources directory the second part of condition "not (matches ( Summary, 'Queue Managers' ))" is not present and there is just first part of condition "ConnectorConfigMdrProdInstance = 'APM'".

    SOI has problem with negative lookahead regexp translation from UI to XML file

     

    The positive finding is ok

    Condition "ConnectorConfigMdrProdInstance = 'APM' and matches ( Summary, 'Queue Managers' )" hasn't problem.

    Tomas



  • 7.  Re: event policy - 2 search patterns on the mid-tier connector

    Posted 06-10-2016 07:20 AM

    Hi Stefan,

    I was able to verify the problem as you described it - the last part is missing in the policy when using the negation.

    What is the reason that you are using RAW Events?

    The Midtier Connector is only a forwarder, e.g. normally RAW and Normalized Events are identical.

    I verified that all is working fine when using Normalized Events.

     

    Please open an issue to report this problem for RAW Events and negation.

     

    MichaelBoehm



  • 8.  Re: event policy - 2 search patterns on the mid-tier connector

    Posted 06-10-2016 07:31 AM

    Hello Michael,

    the ticket is 00429383: Mid-Tier connector: negative regexp on raw events issue

     

    I'm using RAW for new mapping. We are parsing application hostnames with regexp from Summary and mapping it to custom field. The easiest way was raw event.

     

    Tomas