Service Operations Insight

Hello all,

We are sending traps from multiple monitoring systems into SOI as our master monitoring console.
The trap messages are in a format like this, as is typical:

VAR1=value1, VAR2=value2, VAR3=value3

For human readability we'd like to present it in a format like this:
VAR1=value1
VAR2=value2
VAR3=value3

I've tried a variety of regex combinations to convert the ", " into a CRLF.  I've tried dropping the space after the comma but it made no different.  I've tried \n, \r,. and \r\n, and variations thereupon.
Any ideas?  Or am I going to have to bring in a preformatting step?

Thank you,
Joe Poutre
BNP Paribas

Hi Joe,

are you working with the SNMP Connector?

Add two parts in the Alert class of the policy:

Parsing the original values
<Parse>
   <Field input='snmp_varbindvals' output='Var1,Var2,Var3' pattern='^(.*?),(.*?),(.*?)$'/>
</Parse>

Formatting the output
<Format>
   <Field conditional='Var1' output='Message' format='{0}' input='Var1' />
   <Field conditional='Var2' output='Message' format='{0}&#10;{1}' input='Message,Var2' />
   <Field conditional='Var3' output='Message' format='{0}&#10;{1}' input='Message,Var3' />
</Format>

ASCII 10  is the code for a Linefeed.

Let me know if this works or if you need more help.

Michael

------------------------------
Customer Success Architect
CA Deutschland GmbH (a Broadcom company)
------------------------------

Original Message:
Sent: 07-31-2019 04:21 PM
From: Joseph Poutre
Subject: Reformat comma'd message within SOI

Hello all,

We are sending traps from multiple monitoring systems into SOI as our master monitoring console.
The trap messages are in a format like this, as is typical:

VAR1=value1, VAR2=value2, VAR3=value3

For human readability we'd like to present it in a format like this:
VAR1=value1
VAR2=value2
VAR3=value3

I've tried a variety of regex combinations to convert the ", " into a CRLF.  I've tried dropping the space after the comma but it made no different.  I've tried \n, \r,. and \r\n, and variations thereupon.
Any ideas?  Or am I going to have to bring in a preformatting step?

Thank you,
Joe Poutre
BNP Paribas

I am just having a second thought about this:
My reply was based on the assumption, that the different parts of the final message are in different Varbinds of the Trap.
But you might mean that only one of the Varbinds contains the complete message.
Then the problem is, that all the Varbinds are separated by Comma (that is the default behavior of the connector), and your message contains Commas as well.
There is no way to tell the system which commas belong to which part (separator or part of Message) - unless you know exactly how many commas you have in your message.

If you know the amount of commas in your message, you can use a two step parse (as an example I am using Part2 for the Message with two commas):

<Parse>
   <Field input='snmp_varbindvals' output='Part1,Part2,Part3' pattern='^(.*?),(.*?,.*?,.*?),(.*?)$'/>
   <Field input='Part2' output='Var1,Var2,Var3' pattern='^(.*?),(.*?),(.*?)$'/>
</Parse>

If you don't know the amount of commas, there is no solution, because there is no "Replace" in the code.
Then you don't know into how many parts to parse the message and how often to perform the reformatting step I listed in my previous message.

Michael

------------------------------
Customer Success Architect
CA Deutschland GmbH (a Broadcom company)
------------------------------

Original Message:
Sent: 07-31-2019 04:21 PM
From: Joseph Poutre
Subject: Reformat comma'd message within SOI

Hello all,

We are sending traps from multiple monitoring systems into SOI as our master monitoring console.
The trap messages are in a format like this, as is typical:

VAR1=value1, VAR2=value2, VAR3=value3

For human readability we'd like to present it in a format like this:
VAR1=value1
VAR2=value2
VAR3=value3

I've tried a variety of regex combinations to convert the ", " into a CRLF.  I've tried dropping the space after the comma but it made no different.  I've tried \n, \r,. and \r\n, and variations thereupon.
Any ideas?  Or am I going to have to bring in a preformatting step?

Thank you,
Joe Poutre
BNP Paribas

Hello Michael,
I am actually trying to do this through an Event Policy, using fn:Parse to take the original Message something like this:

Source: WindowsMonitor,Alarm Message: WARNING_PERFORMANCE,Variable: Memory Available,Value: 961 ,CallOut=Windows People,Hostname: myserver1

to this format:

Source: WindowsMonitorSystem
Alarm Message: WARNING FOR MEMORY
Variable: Memory Available
Value: 961
CallOut=Windows People
Hostname: myserver1

Is that feasible?  Technically possible?  Or do I need to pre-parse it upon reception and then present it to the Event Policy?

Thank you,
Joe Poutre
BNP Paribas
Original Message:
Sent: 08-01-2019 03:59 AM
From: MICHAEL BOEHM
Subject: Reformat comma'd message within SOI

I am just having a second thought about this:
My reply was based on the assumption, that the different parts of the final message are in different Varbinds of the Trap.
But you might mean that only one of the Varbinds contains the complete message.
Then the problem is, that all the Varbinds are separated by Comma (that is the default behavior of the connector), and your message contains Commas as well.
There is no way to tell the system which commas belong to which part (separator or part of Message) - unless you know exactly how many commas you have in your message.

If you know the amount of commas in your message, you can use a two step parse (as an example I am using Part2 for the Message with two commas):

<Parse>
   <Field input='snmp_varbindvals' output='Part1,Part2,Part3' pattern='^(.*?),(.*?,.*?,.*?),(.*?)$'/>
   <Field input='Part2' output='Var1,Var2,Var3' pattern='^(.*?),(.*?),(.*?)$'/>
</Parse>

If you don't know the amount of commas, there is no solution, because there is no "Replace" in the code.
Then you don't know into how many parts to parse the message and how often to perform the reformatting step I listed in my previous message.

Michael

------------------------------
Customer Success Architect
CA Deutschland GmbH (a Broadcom company)

Original Message:
Sent: 07-31-2019 04:21 PM
From: Joseph Poutre
Subject: Reformat comma'd message within SOI

Hello all,

We are sending traps from multiple monitoring systems into SOI as our master monitoring console.
The trap messages are in a format like this, as is typical:

VAR1=value1, VAR2=value2, VAR3=value3

For human readability we'd like to present it in a format like this:
VAR1=value1
VAR2=value2
VAR3=value3

I've tried a variety of regex combinations to convert the ", " into a CRLF.  I've tried dropping the space after the comma but it made no different.  I've tried \n, \r,. and \r\n, and variations thereupon.
Any ideas?  Or am I going to have to bring in a preformatting step?

Thank you,
Joe Poutre
BNP Paribas

Each trap has a set number of fields, which will not contain commas in the Vars or Values, because I control what goes into those fields.

In simpler terms, is it possible to use a regex replace in an Event Policy with "Create New Event" and "fn:Parse"?  In other words, does fn:Parse support regex character or string replacement?  If not then I'll go to the Alert policy file and use the Parse there to separate out and format the variables and values.

Thank you,
Joe Poutre
BNP Paribas

Original Message:
Sent: 07-31-2019 04:21 PM
From: Joseph Poutre
Subject: Reformat comma'd message within SOI

Hello all,

We are sending traps from multiple monitoring systems into SOI as our master monitoring console.
The trap messages are in a format like this, as is typical:

VAR1=value1, VAR2=value2, VAR3=value3

For human readability we'd like to present it in a format like this:
VAR1=value1
VAR2=value2
VAR3=value3

I've tried a variety of regex combinations to convert the ", " into a CRLF.  I've tried dropping the space after the comma but it made no different.  I've tried \n, \r,. and \r\n, and variations thereupon.
Any ideas?  Or am I going to have to bring in a preformatting step?

Thank you,
Joe Poutre
BNP Paribas