Event Processing Filtering Script

Started by Luiz A. Camilo, April 01, 2015, 10:07:22 PM

Previous topic - Next topic

Luiz A. Camilo

Hello,

The following event is triggered on my Event Log and usually happens when an ADSL Link becomes down. I can see the Ip address become 0.0.0.0/0 : 


27.03.2015 16:21:26 NCTSP_FGT_60D SYS_IF_DELETED Normal Interface "VIVO_50MB" deleted (IP Addr: 200.171.186.9/255.255.255.255, IfIndex: 4)
27.03.2015 16:21:26 NCTSP_FGT_60D SYS_IF_ADDED Normal Interface "VIVO_50MB" added (IP Addr: 0.0.0.0/0.0.0.0, IfIndex: 4)
27.03.2015 16:24:19 NCTSP_FGT_60D SYS_IF_UP Normal Interface "VIVO_50MB" changed state to UP (IP Addr: 0.0.0.0/0.0.0.0, IfIndex: 4)


I want to trigger an particular Alarm when it happens, and of corse, automatically end that Alarm when the IP isn't 0.0.0.0/0 anymore. To do that I need to use Filtering Scripts to analyze the "Message" of the Event. I'm also filtering by Event Code but I need help with the Script.


if ($event->message like "0.0.0.0/0.0.0.0"){
  return true; // Match rule
}



And to end the Event, I'm just denying (!) the script :


if ($event->message !like "0.0.0.0/0.0.0.0"){
  return true; // Match rule
}


But the filtering seems to not work, every event with any value is triggered.
Can someone help me with this filtering script please  ?

Thanks in advance !



Alex Kirhenshtein

Hello.

First of all, you don't have to match message for that. SYS_IF_UP (SYS_IF_DOWN is the same) have 5 parameters, and 3rd one is ip address (check description in event editor).

So you can change script to if ($3 == "0.0.0.0") {
  return true;
}
return false;
or even (if you don't have any other logic in the script) $3 == "0.0.0.0"

Then opposite script will be if ($3 != "0.0.0.0") {
  return true;
}
return false;
or $3 != "0.0.0.0"


Problem with your original script was invalid syntax, instead of if ($event->message !like "0.0.0.0/0.0.0.0"){
  return true; // Match rule
}


if should've been

if (!$event->message like "0.0.0.0/0.0.0.0"){
  return true; // Match rule
}

Luiz A. Camilo

Hi Alex,

Thank you very much, that solved the problem. I was so focused on the message that I forgot to think out of the box.
Do you know how can I fix the syntax of the expression analyzing the "message" string of the Event ? That will help me in other cases ...
I'm trying to do like says here : https://www.netxms.org/forum/configuration/script-some-generic-questions/msg3186/#msg3186

Thank you very much again !

VladimirV

#3
Hi there!
Trying exclude nodes containing the name DWL in Event Processing Policy by filtering script:


if (($node->name) like "*DWL*") {
return false;
}


but event do nothing with predefined action.
Is it correct script?

Tursiops

Your example should be ok to exclude anything with "DWL" in it.
I have to assume there is a "return true;" somewhere in your script as well? Otherwise the result will be "false" anyway and the exclusion is unnecessary - as the filter will never return true.
For your exclusion, you may also want to make sure that your node name is in fact using capitalised "DWL". If not, maybe use "ilike" instead of "like".

This should be enough to exclude anything with "DWL" (capitalised or not) in it and include everything else:

if ($node->name ilike "*DWL*") return false;
return true;


You can always run this against a node via "Execute server script" to confirm that it returns the result you are expecting.

VladimirV

Quote from: Tursiops on July 07, 2017, 03:14:17 PM
Your example should be ok to exclude anything with "DWL" in it.
...
You can always run this against a node via "Execute server script" to confirm that it returns the result you are expecting.

Thx.
Some changes:
if (($node->name) like "*DWL*") {
return false;
} else {
return true;
}

LogicalNZ

Hey all,

I'm looking to want to do a EPP filter script based on a OID.

So my base OID =  .1.3.6.1.2.1.31.1.1.1.10.XX

Where XX >  15000000

Any ideas?

With thanks

Victor Kirhenshtein

Hi,

OID of what? Device or specific DCI you are fetching?

Best regards,
Victor