IBM Support

Netcool/OMNIbus Probe Rules file tips and tricks

Technical Blog Post


Abstract

Netcool/OMNIbus Probe Rules file tips and tricks

Body

1. Netcool/IDE is a very useful GUI rules file editor and debugger


 
Available to download from (MyIBM login required):-
    https://www.ibm.com/software/tivoli/gat/toolsutils
 
The Netcool/IDE provides an IDE for writing/editing rules and allows you to debug and test them using raw capture output of probes, with the ability to set breakpoints, step through statements and see the current values of elements at that point of execution.
 
Another way to help debug rules files, in situ, is to add log statements to output the values of variables at a certain point (which helps confirm any assumptions you are making), i.e.

log( WARNING, "Hit point A in rules, $wibble = ["+$wibble+"]" )
 

 

Choosing a log level above DEBUG will allow you to see your debug statements without all of the verbose debug information getting in the way.

 

 

2. RawCapture output for unparsed events


 
You can set the RawCapture property dynamically in the rules file to write out the current event into the RawCapture file.

Near the top of the rules file (after the targets, tables and arrays have been defined) set::-

# Turn %RawCapture property off
# Note that this will override setting in the properties file or command line
%RawCapture = 0
...

Then, where you get to a point in the rules that you don't have rules to deal with an event (such as the default: case of the switch($enterprise) in the NcKL rules file):-

switch( $enterprise ) {
...other case statements...
    default:
        log(DEBUG, "<<<<< (snmptrap.rules) Enterprise ID not found in any include file. >>>>>")
        @Summary = "No Rules Found for Enterprise ID: " + $enterprise + " (see details)"
        @Severity = 2
        @Type = 0
        %RawCapture=1
}

 

 

This will provide RawCapture output only for traps that do not have specific rules written to handle them.

 

 

 

3. regmatch() before extract()


 
Always, always, always do this.

# Pull out blah item and store in @AlertKey
# REF: BLAH123
if( regmatch( $foo, "^[A-Z]*[0-9]: Blah-(.*)$" ) )
{
    # Note use of exact same regexp string for both regmatch and extract, including the extraction parentheses - these won't affect regmatch()
    @AlertKey = extract( $foo, "^[A-Z]*[0-9]: Blah-(.*)$" )
} else {
    # Optionally log out an error to say that it wasn't in the right format
    log( ERROR, "BLAH123: Data not in expected format: ["+$foo+"]" )
    # If using Tip #2 about dynamic RawCapture you can even do:-
    %RawCapture=1
}
 

 

This can be helpful if you've made an assumption that the data in a specific format where you were doing the extract call. It also reduces the number of 'Regexp does not match' errors in the probe log files as it replaces them with errors that you can control (if you wanted to log more information).

 

 

4. Obtaining sub-second timing information in the rules file


 
The rules file language provides no direct call to get sub-second timing information, but you can get it via the updateload() calls and extract it manually.

$timer = "2.2"
$timer = updateload( $timer )
log( DEBUG, "Value: "+$timer )

2011-09-01T12:55:06: Debug: D-UNK-000-000: Value: 2.2 1314878106.64880

Calling updateload() on an 'empty' loadstring (i.e. one with just the window sizes) gives you the result of gettimeofday(), i.e. sec and usec values.

Value: 2.2 1314878106.64880

So the current UTC time is 1314878106 sec and 64880 usec.

Remember to reset $timer = "2.2" before calling again otherwise this initial value is not guaranteed to be updated.
 
You can also use this to time specific operations within the rules file language:-
 
$timer = "2.2"
$timer = updateload( $timer )
$hostname = gethostname( "192.168.1.123" )
$timer = updateload( $timer )
log( ERROR, "Timing="+$timer )
log( ERROR, "Hostname="+$hostname )

2011-10-05T12:51:48: Error: E-UNK-000-000: Timing=2.2 1317815508.849179 127603
2011-10-05T12:51:48: Error: E-UNK-000-000: Hostname=alexsmachine.example.com
 

 

The third value in the $timer string is the time in microseconds (millionths of a second) between the two updateload() calls which represents the time taken to perform the DNS lookup. This can be ex 127603usec is roughly 1/8th of a second.

 

 

5. Use regreplace() to help clear up tokens/strings


 
regreplace() provides regular expression matching and substitution, it can be used in a variety of ways:-

a) Remove all occurrences of $, ! or ' in any of the tokens:-

foreach ( x in $* )
{
    $x = regreplace( $x, "[$!']", "" )
}

b) Replace multiple spaces with a single space:-

foreach ( x in $* )
{
    $x = regreplace( $x, " +", " " )

 

}

 

 

6. update( @SomeField, FALSE ) does not prevent a field from being updated by an ObjectServer trigger (such as the deduplication trigger)

 


It only cancels a previous:-
    update( @SomeField )
or
    update( @SomeField, TRUE )
that occurred in the rules file.

If the deduplication trigger contains:-
    set old.SomeField = new.SomeField;
then that field will be updated regardless of what you've put in the rules file.

If you want to conditionally update SomeField then don't update it in the deduplication trigger, control it completely in the rules file; or add a flag that can be tested in the trigger to determine whether it should be updated, i.e.

...rules...
@UpdateSomeField=1
...

...deduplication trigger...
    if( new.UpdateSomeField = 1 ) then
        set old.SomeField = new.SomeField;
    end if;
...

 

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}}]

UID

ibm11081977

Page Feedback