hobbit-alerts.cfg regex/MACRO problem - need help

Charles Jones jonescr at cisco.com
Thu Nov 9 22:59:38 CET 2006


I am trying to use a regex macro to exclude a number of hosts from an 
alert.  Here is the one I was using at first:

$UNUSED_PROD=%prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)|prod-web-(1|2|3|4|9|10|11)


Here is how I am using it for the actual alert definition:

HOST=%(prod-.*) SERVICE=* EXHOST=$UNUSED_PROD
     MAIL $PRIMARY color=red REPEAT=60 RECOVERED NOTICE format=sms
     MAIL $SECONDARY color=red DURATION>20 REPEAT=60 RECOVERED NOTICE format=sms


I ran into a problem with the host "prod-app-12" matching the regex. I 
realized this was because I was not terminating the numbers, so I 
changed my variable to:

$UNUSED_PROD=%prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)$|prod-web-(1|2|3|4|9|10|11)$


This SHOULD work according to online regex testing tools, and I also at 
Henriks advice, verified it using "pcretest":

$ pcretest
PCRE version 6.6 06-Feb-2006

  re> /prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)$|prod-web-(1|2|3|4|9|10|11)$/
data> prod-web-12
No match
data> prod-web-11
 0: prod-web-11
 1: <unset>
 2: 11
data>

As seen above, the host "prod-web-12" does NOT match, but "prod-web-11" 
DOES, which is exactly how I want it.

*However, when I use this in hobbit-alerts.cfg. I do not get the 
expected behavior. Instead, ALL hosts match, according to pages sent out 
and from viewing the "info" section.  *The strange thing is, according 
to hobbitd_alert --test, the hostname was successfully excluded, but 
clicking on the "info" column for hosts that are supposed to be excluded 
reveals that they are still configured to alert.

../bin/hobbitd_alert --test prod-web-11 procs --color-red

00009993 2006-11-09 21:48:30 send_alert prod-web-11:procs state Paging

00009993 2006-11-09 21:48:30 *** Match with 'HOST=%(prod-.*) SERVICE=*' ***

00009993 2006-11-09 21:48:30 Matching host:service:page 'prod-web-11:procs:PROD/PRODWEB' against rule line 170

00009993 2006-11-09 21:48:30 *** Match with 'MAIL $PRIMARY color=red REPEAT=60 RECOVERED NOTICE format=sms' ***

00009993 2006-11-09 21:48:30 Mail alert with command 'mail xxxxx at cingularme.com'

00009993 2006-11-09 21:48:30 Failed 'MAIL $SECONDARY color=red DURATION>20 REPEAT=60 RECOVERED NOTICE format=sms' (min. duration 0<1200)

...

00009993 2006-11-09 21:48:30 Failed 'HOST=* SERVICE=* EXHOST=$UNUSED_PROD' (hostname excluded)


* Another thing, when I do the same test as above, using hostname 
"prod-web-12", which is a host that should NOT be excluded, 
hobbitd_alert still says that it was excluded (same last line of output 
as the prod-web-11 test above).

I have also tried enclosing the regex in quotes, which didn't work either.

If anyone has any insight, please let me know. I have contacted Henrik 
about this, but I believe he misread my email, as he suggested that I 
add $ to the regex, which I had already tried...so now I am hoping that 
he or someone else sees this message and can see what Im doing wrong.

-Charles

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20061109/c1e46511/attachment.html>


More information about the Xymon mailing list