[hobbit] hobbit-alerts.cfg regex/MACRO problem - need help

Charles Jones jonescr at cisco.com
Wed Dec 6 18:29:13 CET 2006 

I offer $5 via paypal to anyone who can help me figure this out.  :-)

-Charles

Charles Jones wrote:
> As of today this problem is still a thorn in my side. I've been out 
> sick this week so just now working on it again.
>
> Charles Jones wrote:
>> I'm still having this problem. If anyone has any ideas I'm open to 
>> suggestions :)
>>
>> -Charles
>>
>> Charles Jones wrote:
>>> I am trying to use a regex macro to exclude a number of hosts from 
>>> an alert.  Here is the one I was using at first:
>>> $UNUSED_PROD=%prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)|prod-web-(1|2|3|4|9|10|11)
>>>
>>>   
>>> Here is how I am using it for the actual alert definition:
>>> HOST=%(prod-.*) SERVICE=* EXHOST=$UNUSED_PROD
>>>      MAIL $PRIMARY color=red REPEAT=60 RECOVERED NOTICE format=sms
>>>      MAIL $SECONDARY color=red DURATION>20 REPEAT=60 RECOVERED NOTICE format=sms
>>>
>>>   
>>> I ran into a problem with the host "prod-app-12" matching the regex. 
>>> I realized this was because I was not terminating the numbers, so I 
>>> changed my variable to:
>>>
>>> $UNUSED_PROD=%prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)$|prod-web-(1|2|3|4|9|10|11)$
>>>
>>>   
>>> This SHOULD work according to online regex testing tools, and I also 
>>> at Henriks advice, verified it using "pcretest":
>>> $ pcretest
>>> PCRE version 6.6 06-Feb-2006
>>>
>>>   re> /prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)$|prod-web-(1|2|3|4|9|10|11)$/
>>> data> prod-web-12
>>> No match
>>> data> prod-web-11
>>>  0: prod-web-11
>>>  1: <unset>
>>>  2: 11
>>> data>
>>>   
>>> As seen above, the host "prod-web-12" does NOT match, but 
>>> "prod-web-11" DOES, which is exactly how I want it.
>>>
>>> *However, when I use this in hobbit-alerts.cfg. I do not get the 
>>> expected behavior. Instead, ALL hosts match, according to pages sent 
>>> out and from viewing the "info" section.  *The strange thing is, 
>>> according to hobbitd_alert --test, the hostname was successfully 
>>> excluded, but clicking on the "info" column for hosts that are 
>>> supposed to be excluded reveals that they are still configured to alert.
>>>
>>> ../bin/hobbitd_alert --test prod-web-11 procs --color-red
>>> 00009993 2006-11-09 21:48:30 send_alert prod-web-11:procs state Paging
>>> 00009993 2006-11-09 21:48:30 *** Match with 'HOST=%(prod-.*) SERVICE=*' ***
>>> 00009993 2006-11-09 21:48:30 Matching host:service:page 'prod-web-11:procs:PROD/PRODWEB' against rule line 170
>>> 00009993 2006-11-09 21:48:30 *** Match with 'MAIL $PRIMARY color=red REPEAT=60 RECOVERED NOTICE format=sms' ***
>>> 00009993 2006-11-09 21:48:30 Mail alert with command 'mail xxxxx at cingularme.com'
>>> 00009993 2006-11-09 21:48:30 Failed 'MAIL $SECONDARY color=red DURATION>20 REPEAT=60 RECOVERED NOTICE format=sms' (min. duration 0<1200)
>>> ...
>>> 00009993 2006-11-09 21:48:30 Failed 'HOST=* SERVICE=* EXHOST=$UNUSED_PROD' (hostname excluded)
>>>
>>> * Another thing, when I do the same test as above, using hostname 
>>> "prod-web-12", which is a host that should NOT be excluded, 
>>> hobbitd_alert still says that it was excluded (same last line of 
>>> output as the prod-web-11 test above).
>>>
>>> I have also tried enclosing the regex in quotes, which didn't work 
>>> either.
>>>
>>> If anyone has any insight, please let me know. I have contacted 
>>> Henrik about this, but I believe he misread my email, as he 
>>> suggested that I add $ to the regex, which I had already tried...so 
>>> now I am hoping that he or someone else sees this message and can 
>>> see what Im doing wrong.
>>>
>>> -Charles
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20061206/896f7021/attachment.html>

More information about the Xymon mailing list