I am looking for an event class transform. I do not have the warning and above events/alerts age, and the event comes in a warning and I need the email to go out for the message in the event. I found the transform to drop an event and I tried changing the event action from drop to clear, and age. Nothing worked.
------------------------------ Chuck Hechler CPM CA ------------------------------
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-14 17:52
Chuck,
I'm not sure I follow what you're trying to do. Are you trying to send out an email notification when this event comes in, or are you trying to use it to clear an existing event in the system?
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
Subject:
RE: Event Transform
Author:
Chuck Hechler
Posted:
2021-04-15 12:12
Michael, I am trying to clear the event after the email is sent, the message comes out twice a day from the application.I have the email notifications working as expected and have the Event Configuration set to Don't Age this Severity and above set to "Warning". The Windows Event comes in as a warning and the message will not go out if the event is not cleared. Thanks in advance for your help
------------------------------ Chuck Hechler CPM CA ------------------------------
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-15 13:23
Chuck,
If I'm understanding you:
You have an event that comes in twice a day. The email notification goes out when the event is first received. Subsequent notifications do *not* go out, as the original event is still open. You would like the original event to go away so that subsequent instances of the event generate email notifications.
Do I have that right?
I want to make sure, because there are several different ways to approach this. Also, what is the source of the event? Depending on what generates it (and if its source generates another event when the problem is resolved), there may be additional paths to a solution.
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
Subject:
RE: Event Transform
Author:
Chuck Hechler
Posted:
2021-04-15 15:22
Michael
the event comes from a Windows event log. Yes it's twice a day. I would like the message to trigger an email as it does if it's not in the event view then clear/age so the next message sends another email and so on..
------------------------------ Chuck Hechler CPM CA ------------------------------
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-15 15:38
I suspect the solution this time may be easier than we suspected.
Check the email notification. There are three checkboxes:
The one that says "Send only on initial occurrence?" will prevent the email notification from firing if a matching event is still open. If you uncheck that, the notification will fire every time the event is retrieved from the Windows event log.
Can you confirm if yours is checked or not?
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
Subject:
RE: Event Transform
Author:
Chuck Hechler
Posted:
2021-04-16 12:01
Michael,
Great idea, I did have the check box enabled for "Send Only on initial occurrence". I also changed the Trigger rule and added a new criteria, if event "status is not Acknowledged". However, my OCD will take over when I show this message sitting in the event view and not acknowledged. I am assuming that developing a transform for this use case is not possible, correct? 1. Windows Event message is triggered 2. Trigger and Notification rules are met, message sent (with Send only on initial occurrence) 3. Transform could age/close event after notification
------------------------------ Chuck Hechler CPM CA ------------------------------
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-16 13:53
Chuck,
The way you have it laid out, no, a transform wouldn't work. Transforms alter events while they're "in flight." By the time trigger evaluation is performed, the transforms are all done.
You could do this with a second notification, but it would be a bit tricky:
1. Create a script that uses the Zenoss JSON API and takes an event ID as an argument at the command line. 2. Write the script to use the close method of the events_router. 3. Create a command type notification, paired to the same trigger as the email notification but with a delay of several minutes (to allow for the email to process). 4. Configure the notification to call the script, passing evt.evid as an argument.
Then, when an event is processed and matches the trigger, the email will go out immediately. A few minutes later, the second notification will run, closing the event remotely.
It's a fair number of hoops to jump through.
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-16 16:49
I meant to include this in my last post. A few years ago I made a video breaking down the event processing pipeline.
I mostly point people at it as a means to understand how and where to troubleshoot event pipeline issues, but it also explains where and when transforms and notifications happen.
I hope it helps!
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
Subject:
RE: Event Transform
Author:
Chuck Hechler
Posted:
2021-04-16 16:53
Michael
Thanks, I check the video out.
------------------------------ Chuck Hechler CPM CA ------------------------------
Subject:
RE: Event Transform
Author:
Chuck Hechler
Posted:
2021-04-22 13:47
Michael
I have been running with the changes you recommend (uncheck the send original notification only). I have noticed additional issues now. One would be the local host errors. They can flood my inbox the other is CPU alerts, now I get a new one every pill of the device until it clears.
------------------------------ Chuck Hechler CPM CA ------------------------------
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-22 16:57
Hi, Chuck!
So, running the notification for every instance of the event works for the Windows event log pulls, but results in spam for any other events that also match the trigger. This should be fairly easy to fix.
1. Adjust the notification so that it sends on initial occurrence only (check the box I told you to uncheck). This should get rid of the spam problem and return things to how they were. 2. Build a new trigger using the same event criteria as these events are currently matching. 3. Add a rule to the new trigger so that it matches only the Windows events. 4. Make a new email notification tied to the trigger from step 2. 5. On the new notification, uncheck "Send only on initial occurrence."
So, instead of having a single trigger/notification pair handling everything, you'll have two pairs: one for all the Windows events that were giving you trouble initially and another pair for everything else.
It's not as elegant as a having a single trigger/notification pair that does everything, but you can probably have it done in 5 minutes.
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
Subject:
RE: Event Transform
Author:
Chuck Hechler
Posted:
2021-04-22 17:03
Excellent idea. You are the wizard. I'll update this and let you know. Btw I have tweaked the notification email templates, should I share them?
Sent from my mobile device, please excuse my brevity
Subject:
RE: Event Transform
Author:
Michael Rogers
Posted:
2021-04-22 17:58
Glad I could help!
As for sharing your email templates, if you're doing something neat that you think someone else might benefit from, "go for it!" Honestly, if you or anyone else ever has a good idea, feel free to share it here.
------------------------------ Michael J. Rogers Senior Instructor - Zenoss Austin TX ------------------------------
