[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
hobbit-alerts.cfg regex/MACRO problem - need help
- To: hobbit (at) hswn.dk
- Subject: hobbit-alerts.cfg regex/MACRO problem - need help
- From: Charles Jones <jonescr (at) cisco.com>
- Date: Thu, 09 Nov 2006 14:59:38 -0700
- Authentication-results: sj-dkim-2; header.From=jonescr@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
- Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=6944; t=1163109581; x=1163973581; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jonescr@cisco.com; z=From:=20Charles=20Jones=20<jonescr@cisco.com> |Subject:=20hobbit-alerts.cfg=20regex/MACRO=20problem=20-=20need=20help |Sender:=20; bh=ypb2n1TwUpm+nHdInurCIVoNvJQDkPhU5AvuGqvSu+8=; b=hfTZ61u2baUNziPzeu9yZKFm3mvLKYjGUh20Y9jaQxp626LQ7003NW/uP6uTpui/WZ3AhQPL OvChftNlSCyX10ydm6LsDr8sgg0/AhmSHAKCf+dxzZEzxhFn4A/zaXCC;
- Organization: Cisco Systems
- User-agent: Thunderbird 1.5.0.4 (X11/20060614)
I am trying to use a regex macro to exclude a number of hosts from an
alert. Here is the one I was using at first:
$UNUSED_PROD=%prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)|prod-web-(1|2|3|4|9|10|11)
Here is how I am using it for the actual alert definition:
HOST=%(prod-.*) SERVICE=* EXHOST=$UNUSED_PROD
MAIL $PRIMARY color=red REPEAT=60 RECOVERED NOTICE format=sms
MAIL $SECONDARY color=red DURATION>20 REPEAT=60 RECOVERED NOTICE format=sms
I ran into a problem with the host "prod-app-12" matching the regex. I
realized this was because I was not terminating the numbers, so I
changed my variable to:
$UNUSED_PROD=%prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)$|prod-web-(1|2|3|4|9|10|11)$
This SHOULD work according to online regex testing tools, and I also at
Henriks advice, verified it using "pcretest":
$ pcretest
PCRE version 6.6 06-Feb-2006
re> /prod-app-(2|3|4|5|6|7|8|9|10|11|12|18|20|21|22|23|24)$|prod-web-(1|2|3|4|9|10|11)$/
data> prod-web-12
No match
data> prod-web-11
0: prod-web-11
1: <unset>
2: 11
data>
As seen above, the host "prod-web-12" does NOT match, but "prod-web-11"
DOES, which is exactly how I want it.
*However, when I use this in hobbit-alerts.cfg. I do not get the
expected behavior. Instead, ALL hosts match, according to pages sent out
and from viewing the "info" section. *The strange thing is, according
to hobbitd_alert --test, the hostname was successfully excluded, but
clicking on the "info" column for hosts that are supposed to be excluded
reveals that they are still configured to alert.
../bin/hobbitd_alert --test prod-web-11 procs --color-red
00009993 2006-11-09 21:48:30 send_alert prod-web-11:procs state Paging
00009993 2006-11-09 21:48:30 *** Match with 'HOST=%(prod-.*) SERVICE=*' ***
00009993 2006-11-09 21:48:30 Matching host:service:page 'prod-web-11:procs:PROD/PRODWEB' against rule line 170
00009993 2006-11-09 21:48:30 *** Match with 'MAIL $PRIMARY color=red REPEAT=60 RECOVERED NOTICE format=sms' ***
00009993 2006-11-09 21:48:30 Mail alert with command 'mail xxxxx (at) cingularme.com'
00009993 2006-11-09 21:48:30 Failed 'MAIL $SECONDARY color=red DURATION>20 REPEAT=60 RECOVERED NOTICE format=sms' (min. duration 0<1200)
...
00009993 2006-11-09 21:48:30 Failed 'HOST=* SERVICE=* EXHOST=$UNUSED_PROD' (hostname excluded)
* Another thing, when I do the same test as above, using hostname
"prod-web-12", which is a host that should NOT be excluded,
hobbitd_alert still says that it was excluded (same last line of output
as the prod-web-11 test above).
I have also tried enclosing the regex in quotes, which didn't work either.
If anyone has any insight, please let me know. I have contacted Henrik
about this, but I believe he misread my email, as he suggested that I
add $ to the regex, which I had already tried...so now I am hoping that
he or someone else sees this message and can see what Im doing wrong.
-Charles