Rules file examples
These examples show typical rules file segments.
- Example: Enhancing the Summary field
- Example: Populating multiple fields
- Example: Nested IF statements
- Example: Regular expression match
- Example: Regular expression extract
- Example: Numeric comparisons
- Example: Simple numeric expressions
- Example: Strings and numerics in one expression
- Example: Using load functions to monitor nodes
Example: Enhancing the Summary field
This example rule tests if the $trap-type
element
is Link-Up
. If it is, the @Summary field is populated
with a string made up of Link up on
, the name of
the node from the record being generated, Port
, and
the value of the $ifIndex
element:
if( match($trap-type,"Link-Up") )
{
@Summary = "Link up on " + @Node + " Port " + $ifIndex
}
Example: Populating multiple fields
This example rule is similar to the previous
rule except that the @AlertKey
and @Severity
fields
are also populated:
if( match($trap-type, "Link-Up") )
{
@Summary = "Link up on " + @Node + " Port " + $ifIndex
@AlertKey = $ifIndex
@Severity = 4
}
Example: Nested IF statements
This example rule first tests if the trap has
come from an Acme
manager, and then tests if it is
a Link-Up
. If both conditions are met, the @Summary
field
is populated with the values of the @Node
field and $ifIndex
and $ifLocReason
elements:
if( match($enterprise,"Acme") )
{
if( match($trap-type, "Link-Up") )
{
@Summary= "Acme Link Up on " + @Node + " Port " + $ifIndex +
" Reason: "+$ifLocReason
} }
Example: Regular expression match
This example rule tests for a line starting with Acme
Configuration:
followed by a single digit:
if (regmatch($enterprise,"^Acme Configuration:[0-9]"))
{
@Summary="Generic configuration change for " + @Node
}
Example: Regular expression extract
This example rule tests for a line starting with Acme
Configuration
: followed by a single digit. If the condition
is met, it extracts that single digit and places it in the @Summary
field:
if (regmatch($enterprise,"^Acme Configuration:[0-9]"))
{
@Summary="Acme error "+extract($enterprise,"^Acme Configuration:
([0-9])")+" on" + @Node
}
Example: Extracting data using a field or token as an anchor
This example rule checks for a digit that appears after
the string contained in the $corp
variable. If the
condition is met, it extracts that single digit and places it in the @Summary
field:
if( regmatch( $enterprise, "^"+$corp+":[0-9]" ) ) {
@Summary = $corp + extract( $enterprise, "^"+$corp+":([0-9])" ) + " on " + @Node
}
Example: Checking for the presence of a substring within a string
This example
uses the regmatch
function with a transient regular
expression derived from a string expression to check for a substring.
$needle = "fox"
$haystack = "The quick brown fox jumped over the lazy dog."
if( regmatch( $haystack, $needle ) ) {
# Found needle in haystack
}
If you do not want the substring check to be case
sensitive, then use lower
in front, for example:
if( regmatch( lower($haystack), lower($needle) ) ) {
# Found needle in haystack
}
Example: Numeric comparisons
This
example rule tests the value of an element called $freespace
as
a numeric value by converting it to an integer and performing a numeric
comparison:
if (int($freespace) < 1024)
{
@Summary="Less than 1024K free on drive array"
}
Example: Simple numeric expressions
This example rule creates an element called $tmpval
.
The value of $tmpval
is derived from the $temperature
element,
which is converted to an integer and then has 20 subtracted from it.
The string element $tmpval
contains the result of
this calculation:
$tmpval=int($temperature)-20
Example: Strings and numerics in one expression
This example rule creates an
element called $Kilobytes
. The value of $Kilobytes
is
derived from the $DiskSize
element, which is divided
by 1024 before being converted to a string type with the letter K
appended:
$Kilobytes = string(int($DiskSize)/1024) + "K"
Example: Using load functions to monitor nodes
This example shows how to measure load for each node that is generating events. If a node is producing more than five events per second, a warning is written to the probe log file. If more than 80 events per second are generated for all nodes being monitored by the probe, events are sent to an alternative ObjectServer and a warning is written to the probe log file.
# declare the ObjectServers HIGHLOAD and LOWLOAD
# declare the loads array
LOWLOAD = registertarget( "NCOMS_LOW", "", "alerts.status")
HIGHLOAD = registertarget( "NCOMS_HIGH", "", "alerts.status")
array loads;
# initialize array items with the number of seconds samples may span and
# number of samples to maintain.
if ( match("", loads[@Node]) ){
loads[@Node] = "2.50"
}
if ( match("" , %general_load) ){
%general_load="2.50"
}
loads[@Node] = updateload(loads[@Node])
%general_load=updateload(%general_load)
if ( int(getload(loads[@Node]) ) > 5 ){
log(WARN, $Node + " is creating more than 5 events per second")
}
if ( int(getload(%general_load)) > 80){
log(WARN, "Probe is creating more than 80 events per second - switching to HIGHLOAD")
settarget(HIGHLOAD)
}