Rules file examples
These examples show typical rules file segments.
- Example: Enhancing the Summary field
- Example: Populating multiple fields
- Example: Nested IF statements
- Example: Regular expression match
- Example: Regular expression extract
- Example: Numeric comparisons
- Example: Simple numeric expressions
- Example: Strings and numerics in one expression
- Example: Using load functions to monitor nodes
Example: Enhancing the Summary field
This example rule tests if the $trap-type element
is Link-Up. If it is, the @Summary field is populated
with a string made up of Link up on, the name of
the node from the record being generated, Port, and
the value of the $ifIndex element:
if( match($trap-type,"Link-Up") )
{
@Summary = "Link up on " + @Node + " Port " + $ifIndex
}Example: Populating multiple fields
This example rule is similar to the previous
rule except that the @AlertKey and @Severity fields
are also populated:
if( match($trap-type, "Link-Up") )
{
@Summary = "Link up on " + @Node + " Port " + $ifIndex
@AlertKey = $ifIndex
@Severity = 4
}Example: Nested IF statements
This example rule first tests if the trap has
come from an Acme manager, and then tests if it is
a Link-Up. If both conditions are met, the @Summary field
is populated with the values of the @Node field and $ifIndex and $ifLocReason elements:
if( match($enterprise,"Acme") )
{
if( match($trap-type, "Link-Up") )
{
@Summary= "Acme Link Up on " + @Node + " Port " + $ifIndex +
" Reason: "+$ifLocReason
} }Example: Regular expression match
This example rule tests for a line starting with Acme
Configuration: followed by a single digit:
if (regmatch($enterprise,"^Acme Configuration:[0-9]"))
{
@Summary="Generic configuration change for " + @Node
}Example: Regular expression extract
This example rule tests for a line starting with Acme
Configuration: followed by a single digit. If the condition
is met, it extracts that single digit and places it in the @Summary field:
if (regmatch($enterprise,"^Acme Configuration:[0-9]"))
{
@Summary="Acme error "+extract($enterprise,"^Acme Configuration:
([0-9])")+" on" + @Node
}
Example: Extracting data using a field or token as an anchor
This example rule checks for a digit that appears after
the string contained in the $corp variable. If the
condition is met, it extracts that single digit and places it in the @Summary field:
if( regmatch( $enterprise, "^"+$corp+":[0-9]" ) ) {
@Summary = $corp + extract( $enterprise, "^"+$corp+":([0-9])" ) + " on " + @Node
}Example: Checking for the presence of a substring within a string
This example
uses the regmatch function with a transient regular
expression derived from a string expression to check for a substring.
$needle = "fox"
$haystack = "The quick brown fox jumped over the lazy dog."
if( regmatch( $haystack, $needle ) ) {
# Found needle in haystack
}If you do not want the substring check to be case
sensitive, then use lower in front, for example:
if( regmatch( lower($haystack), lower($needle) ) ) {
# Found needle in haystack
}Example: Numeric comparisons
This
example rule tests the value of an element called $freespace as
a numeric value by converting it to an integer and performing a numeric
comparison:
if (int($freespace) < 1024)
{
@Summary="Less than 1024K free on drive array"
}Example: Simple numeric expressions
This example rule creates an element called $tmpval.
The value of $tmpval is derived from the $temperature element,
which is converted to an integer and then has 20 subtracted from it.
The string element $tmpval contains the result of
this calculation:
$tmpval=int($temperature)-20Example: Strings and numerics in one expression
This example rule creates an
element called $Kilobytes. The value of $Kilobytes is
derived from the $DiskSize element, which is divided
by 1024 before being converted to a string type with the letter K appended:
$Kilobytes = string(int($DiskSize)/1024) + "K"Example: Using load functions to monitor nodes
This example shows how to measure load for each node that is generating events. If a node is producing more than five events per second, a warning is written to the probe log file. If more than 80 events per second are generated for all nodes being monitored by the probe, events are sent to an alternative ObjectServer and a warning is written to the probe log file.
# declare the ObjectServers HIGHLOAD and LOWLOAD
# declare the loads array
LOWLOAD = registertarget( "NCOMS_LOW", "", "alerts.status")
HIGHLOAD = registertarget( "NCOMS_HIGH", "", "alerts.status")
array loads;
# initialize array items with the number of seconds samples may span and
# number of samples to maintain.
if ( match("", loads[@Node]) ){
loads[@Node] = "2.50"
}
if ( match("" , %general_load) ){
%general_load="2.50"
}
loads[@Node] = updateload(loads[@Node])
%general_load=updateload(%general_load)
if ( int(getload(loads[@Node]) ) > 5 ){
log(WARN, $Node + " is creating more than 5 events per second")
}
if ( int(getload(%general_load)) > 80){
log(WARN, "Probe is creating more than 80 events per second - switching to HIGHLOAD")
settarget(HIGHLOAD)
}