Created
December 16, 2011 15:56
-
-
Save cluther/1486570 to your computer and use it in GitHub Desktop.
Zenoss Event Escalation Transform
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is an example Zenoss event transform that will escalate an event's | |
# severity to critical if it has occurred more than three (3) times in a row | |
# without clearing. | |
# | |
# It is compatible with all existing Zenoss versions which includes up to 4.1 | |
# at the time this was written. | |
# Initialize existing_count. | |
existing_count = 0 | |
# Prefix for fingerprint (dedupid). | |
dedupfields = [evt.device, evt.component, evt.eventClass] | |
if 'getFacade' in globals() and getFacade('zep'): | |
# Zenoss >=4 method. | |
if getattr(evt, 'eventKey', False): | |
dedupfields += [evt.eventKey, evt.severity] | |
else: | |
dedupfields += [evt.severity, evt.summary] | |
zep = getFacade('zep') | |
evt_filter = zep.createEventFilter( | |
status=(0,1,2), | |
fingerprint='|'.join(map(str, dedupfields))) | |
summaries = zep.getEventSummaries(0, 1, filter=evt_filter) | |
if summaries['total']: | |
existing_count = list(summaries['events'])[0]['count'] | |
else: | |
# Zenoss <4 method. | |
if getattr(evt, 'eventKey', False): | |
dedupfields += [evt.eventKey, evt.severity] | |
else: | |
dedupfields += [evt.eventKey, evt.severity, evt.summary] | |
em = dmd.Events.getEventManager() | |
em.cleanCache() | |
try: | |
db_evt = em.getEventDetail(dedupid='|'.join(map(str, dedupfields))) | |
existing_count = db_evt.count | |
except Exception: | |
pass | |
# Do what you like with the count and event; | |
# In this example we up the severity to CRITICAL if the count is > 3 | |
if existing_count > 3: | |
evt.severity = 5 |
Good catch. I updated lines #16 and #31.
Thanks alot for this, we use it or varients a bunch of different ways. A couple things we have found through experience..., one you want to check to make sure you don't change clear priorities by mistake, two, if you use this on windows/syslog events you can run into troubles if you have a large event message/summary that gets truncated ...
Hi Chet, Thanks a lot for this, I have a question as per the code if the existing_count > 3, can we generate a new alert again rather than increasing the severity if yes how we can alter the existing code, is it possible to set the event count as zero or one, i tried but that did not help.
Please advise.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Shouldn't line #16 default eventKey to False?