Format
Format operations combine property values into a new or existing property using a specified format. You can use format operations to define information in events received from event sources using a new property and adhering to a specified format.
For this example, you transform the source properties and the temporary properties that you create using the Parse operation into USM properties as follows:
Note: Alerts do not have correlatable properties.
<Catalog version="1.0" globalextends="GLOBAL!">
<!-- ======Event Class====== --> <EventClass name="Alert"> <Parse>
<Field input="snmp_varbindvals" output="temp_nodetype,temp_nodename,temp_domain,temp_applname,temp_applgen,temp_jobname,temp_jobequal,temp_state,temp_status" pattern="^(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?),(.*?)$" />
</Parse> <Normalize>
<Field input="temp_state" type="map" output="severity"> <mapentry mapin="[Uu][Nn][Kk][Nn][Oo][Ww][Nn]" mapout="Unknown" /> <mapentry mapin="[Cc][Oo][Mm][Pp][Ll][Ee][Tt][Ee]" mapout="Normal" /> <mapentry mapin="[Mm][Oo][Nn][Ii][Tt][Oo][Rr]" mapout="Normal" /> <mapentry mapin="[Ee][Xx][Ee][Cc]" mapout="Normal" /> <!-- Informational --> <mapentry mapin="[Ff][Aa][Ii][Ll][Ee][Dd]" mapout="Critical" /> <mapentry mapin="[Pp][Rr][Ee][Mm][Aa][Tt][Uu][Rr][Ee] [Ee][Nn][Dd]" mapout="Critical" /> <mapentry mapin="[Ii][Nn][Aa][Cc][Tt][Ii][Vv][Ee]" mapout="Minor" /> <mapentry mapin="[Oo][Vv][Ee][Rr][Dd][Uu][Ee]" mapout="Major" /> <mapentry mapin="[Ss][Uu][Bb][Ee][Rr][Rr][Oo][Rr]" mapout="Major" /> <mapentry mapin="[Aa][Gg][Ee][Nn][Tt] [Dd][Oo][Ww][Nn]" mapout="Critical" /> <!-- Fatal --> <mapentry mapin="[Rr][Ee][Aa][Dd][Yy]" mapout="Normal" /> <mapentry mapin="[Aa][Bb][Aa][Nn][Dd][Oo][Nn] [Ss][Uu][Bb][Mm][Ii][Ss][Ss][Ii][Oo][Nn]" mapout="Unknown" /> </Field>
</Normalize> <Format>
<!-- Correlatable properties, must populate at least one -->
<!-- Non-Correlatable properties -->
<Field output="MdrElementID" format="alert-{0}:{1}:{2}" input="snmp_agent,temp_applname,temp_jobname" />
<Field output="OccurrenceTimestamp" format="{0}" input="{xsdateTime(now)}" />
<Field output="ReportTimestamp" format="{0}" input="{xsdateTime(now)}" />
<Field output="AlertType" format="{0}" input="Risk-Fault" />
<Field conditional="severity" output="Severity" format="{0}" input="severity" />
<Field output="AlertedMdrProduct" format="CA:00036" input="" />
<Field output="AlertedMdrProdInstance" format="{0}" input="{fqdn(snmp_agent)}" />
<!-- Assign instance name -->
<Field conditional="snmp_agent" output="Section1" format="{0}" input="snmp_agent" />
<Field conditional="!snmp_agent" output="Flag" format="false" input="" />
<Field conditional="temp_applname" output="Section2" format="{0}" input="temp_applname" />
<Field conditional="!temp_applname" output="Flag" format="false" input="" />
<Field conditional="temp_jobname" output="Section3" format="{0}" input="temp_jobname" />
<Field conditional="!temp_jobname" output="Flag" format="false" input="" />
<Field conditional="Flag" output="AlertedMdrElementID" format="" input="" />
<Field conditional="!Flag" output="AlertedMdrElementID" format="{0}:{1}:{2}" input="Section1,Section2,Section3" />
<Field output="Summary" format="{0}" input="temp_status" />
<Field conditional="temp_state" output="Message" format="{0} alert on {1} scheduled on host {2}" input="temp_state,temp_jobname,snmp_agent" />
<Field output="MetricName" format="{0}" input="Job Status" />
<Field output="MetricType" format="{0}" input="Unknown" />
<Field output="MetricUnitDefinition" format="{0}" input="Number" />
<Field output="MetricDataType" format="{0}" input="String" />
</Format> </EventClass>
</Catalog>
This policy does the following:
Note: The key values that you use to define the AlertedMdrElementID (and by extension, MdrElementID) value differ depending on the trap source you are integrating. The property must contain a value or combination of values that can uniquely identify a CI and alert from your trap source.
|
Copyright © 2013 CA.
All rights reserved.
|
|