DX Infrastructure Management

  • Private Community
 View Only
Back to Library

Tech Tip: UIM LUA script to split alarm message 

Jan 25, 2018 08:07 AM

Sharing a simple LUA script to modify the alarm message of an incoming alarm.

The use case is when the user needs to split the original message into a sub-string that only contains the text between 2 patterns.

 

if regexp (event.message, "*\"syslog_message\"\:\"*") then
new_message = string.match(event.message, "syslog_message\"\:\"(.-)\",\"tag")
event.message = "Syslog Alarm: "..new_message

return event
else
print ("The regular expression did NOT match")
return
end

 

This will transform an alarm like this:

Match found for Router_Power_Supply_Monitoring search string Power Supply var1: Failure Detected in message: {"syslog_pid":"1","raw_message":null,"origin":null,"syslog_program":"swat","syslog_severity":"notice","logtype":"syslog","file":null,"syslog_timestamp":"2018-01-25T11:12:03+0000","host":"falne02-lab70","origin_facility_code":"","origin_message_number":"","syslog_priority":5,"timestamp":"2018-01-25T11:12:03+0000","syslog_pri":"13","syslog_severity_code":5,"ip":null,"syslog_facility":"user","syslog_facility_code":1,"syslog_message":"Power Supply var1: Failure Detected","tags":null,"origin_timestamp":"2018-01-25T11:12:03+0000","syslog_hostname":"falne02-lab70","syslog_received_at":null,"received_timestamp":"2018-01-25T11:12:03+0000"}

 

into:

Syslog Alarm: Power Supply var1: Failure Detected

 

So we only extract the relevant "syslog_message" field.

 

Thanks Alquin for the samples provided.

 

Thanks,

Nestor

Statistics
0 Favorited
9 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Nestor Falcon Gonzalez
Sep 11, 2018 11:53 AM

Hi Sam, yes, we preserve all original fields as we are modifying the incoming event

HTH,

Nestor

Garin Walsh
Sep 10, 2018 04:50 PM

Yes

Sam Green
Sep 10, 2018 04:49 PM

Thanks NestorFalcon

 

Does the new alarm have all the original contents? Such as Origin, Hostname, User Tag's etc?

 

Regards,

Sam

Tgentilhomme
Feb 15, 2018 05:40 PM

Hi,

 

I like to reverse the if/else condition (to me, the code is more readable).

if not regexp (event.message, "*\"syslog_message\"\:\"*") then
    return
end
local new_message = string.match(event.message, "syslog_message\"\:\"(.-)\",\"tag")
event.message = "Syslog Alarm: "..new_message
return event

 

And by experience, using non-common matching seem to be the dominant pattern (best-practice for me).

 

Best Regards,

Thomas

Related Entries and Links

No Related Resource entered.