TECHZEN Zenoss User Community ARCHIVE  
FORUMS / Configuration & Administration / DISCUSSION

Changing severity for a high cpu alert.

Subject: Changing severity for a high cpu alert.
Author: G N
Posted: 2017-08-05 10:25

Hello Zenoss users and admins alike. I'm very new to Zenoss and still learning the ropes with its administration. 

One thing I'd like to do, is turn down the severity for an alert we get from a Cisco device. Basically change the severity.

How could I best accomplish this? From what I've read so far, it will take an Event Transform script to be put in the /unknown/ event class page. Any suggestions welcome.

Subject: RE: Changing severity for a high cpu alert.
Author: Jane Curry
Posted: 2017-08-07 08:10

Hi Mike - welcome to Zenoss.

For starters, you are on a VERY old version of Zenoss if you are still on 2.5.  I am a great fan of "if it ain't broke then don't fix it"; that said, do be aware that some comments on this forum will be inappropriate to your version.

Happily, event mapping is a principle that hasn't changed throughout Zenoss.  You might like to pull my event management paper from https://www.skills-1st.co.uk/papers/jane/zenoss_event_management_paper.pdf .This is the OLD version of the paper for Zenoss 3 (which has the same event architecture as Zenoss 2); there were big changes in the event architecture  for Zenoss 4 (similar still in Zenoss 5).

The basic principle of event mapping is to map /Unknown events to a different, known event class - either an existing event class or you can easily create your own.  Explore the existing event classes and see if there is an appropriate one to use - let's say you pick /Perf/CPU (note that the whole GUI looks very different in Zenoss 2 than later versions).

In the Event Console, select an instance of your event (with class /Unknown) and then use the third icon at the top (looks like a tree) to "Map selected events to an event class".  You should get a dropdown showing all your events (note that if you have just created a new event class, it may not show in this list; refresh your browser and it should show up).  It should say that it has created a mapping.

Go to the event classes and navigate down /Perf/CPU (in my example). You should see an event class mapping.  The staring point for a mapping is the eventClassKey field (beware there is also an event Key and an eventClass).  Your sample had the value SYS-1-CPURISINGTHRESHOLD.  A mapping ONLY works if your event has an eventClassKey that matches.  After that, you can test various other fields of the event to further define this mapping.

In your case, you want to look at the summary field of the event.  This has some text that will be constant (like "Threshold: Total CPU Utilization(Total/Intr): ) and some text will be variable like the process ids and the percentages.  The regex element of your event class mapping allows you to construct a regular expression to match the summary field of the event.  The rule element of the event class mapping allows you to test other fields of the event (and, indeed, the summary field also if you wish).  Both rule and regex are basically Python code.

You have a fairly complicated requirement.  The summary text should have a standard format.  It also needs to include your specific process id of 346 somewhere - and it might be anywhere in those top 3 processes.  There are lots of ways to do this but one way would be to test in the Rule that the summary field has "346/" somewhere in it and, using the Regex, ensure that the summary is in the format to satisfy your requirement so:

Rule                evt.summary.find('346/') != -1
Regex:            Threshold: Total CPU Utilization\(Total/Intr\):

Note that the Regex uses "\" to escape the brackets as brackets are part of regex syntax.

That isn't failsafe but, without getting too fancy in regular expressions, it should generally work.

Double click on your event class mapping and you should have an Edit tab that shows you the eventClassKey and the summary should have been copied to the "Example" field.  Complete the Rule and Regex fields as shown above and use the Save button.  If the Regex text turns red that indicates that the Regex does not match your example text.



That should ensure that only events that match the eventClassKey, the Rule and the Regex will get mapped to your chosen eventClass.  Still doesn't DO anything else to your event yet!

To change the severity, you can as you say, write a transform in that same dialogue with:
evt.severity = 2
(The event severity field is actually numeric - 5=Critical, 4=Error, 3=Warning, 2=Info, 1=Debug, 0=Clear). If all you want to change is the severity then perhaps your better option is to change the zProperty for that eventClass mapping, using the zProperties tab you see in the screenshot.  You can then select the desired zEventSeverity from a dropdown list.

Test it and you should be done!  I used the Zenoss utility zensendevent (as the zenoss user from a command window) to test this with (all on one line):
zensendevent -d zenoss.class.example.org -s Critical -k SYS-1-CPURISINGTHRESHOLD -o agent='zensyslog' "Threshold: Total CPU Utilization(Total/Intr): 89%/0% Top 3 processes(Pid/Util): 346/77%, 84/10%, 85/0%"

Make sure you close any existing similar events before trying a new test.

More examples in the paper referenced earlier.

Cheers,
Jane

------------------------------
Jane Curry
Skills 1st United Kingdom
jane.curry@skills-1st.co.uk
------------------------------


< Previous
Integrating ServiceNow 		  Next
GraphPoint RPN exression - translate value 		>