• State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 511 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Custom alert variable with nested variable

MathieuJM

Hi,

We are trying to parse SNMP traps content within an alert to extract some usefull info for our alert.

our trap come from Oracle Cloud Control and looks like this:

ORACLE-ENTERPRISE-MANAGER-4-MIB:oraEMNGEvent : oraEMNGEventNotifType.1 = NOTIF_NORMAL, oraEMNGEventMessage.1 = This is a sample Event Message to test the SNMP ntofication delivery to the SNMP Manager. The contents of this messages are all sample data., oraEMNGEventMessageURL.1 = https://SampleEMTargetHost:15430/em/redirect?pageType=sdk-core-event-console-detailEvent&issueID=BFD22554A4E23C37E040E50ADDDE1D71, oraEMNGEventSeverity.1 = Critical, oraEMNGEventSeverityCode.1 = CRITICAL, oraEMNGEventRepeatCount.1 = 0, oraEMNGEventActionMsg.1 = This is a sample event action message for SNMP delivery testing., oraEMNGEventOccurrenceTime.1 = May 14, 2012 11:46:27 AM GMT, oraEMNGEventReportedTime.1 = May 14, 2012 11:46:27 AM GMT, oraEMNGEventCategories.1 = Capacity, Security, oraEMNGEventCategoryCodes.1 = Capacity, Security, oraEMNGEventType.1 = Metric Alert, oraEMNGEventName.1 = Program Resource Utilization:Program's Max CPU Utilization (%), oraEMNGAssocIncidentId.1 = , oraEMNGAssocIncidentOwner.1 = , oraEMNGAssocIncidentAcked.1 = No, oraEMNGAssocIncidentStatus.1 = , oraEMNGAssocIncidentPriority.1 = , oraEMNGAssocIncidentEscLevel.1 = , oraEMNGEventTargetName.1 = SampleEMTargetname, oraEMNGEventTargetNameURL.1 = https://SampleEMTargetHost:15430/em/redirect?pageType=TARGET_HOMEPAGE&targetName=SampleEMTargetHost&targetType=host, oraEMNGEventTargetType.1 = Host, oraEMNGEventHostName.1 = SampleEMTargetHost, oraEMNGEventTargetOwner.1 = sysman, oraEMNGEventTgtLifeCycleStatus.1 = Mission Critical, oraEMNGEventTargetVersion.1 = 10.2.0.1, oraEMNGEventUserDefinedTgtProp.1 = , oraEMNGEventSourceObjName.1 = , oraEMNGEventSourceObjNameURL.1 = , oraEMNGEventSourceObjType.1 = , oraEMNGEventSourceObjSubType.1 = , oraEMNGEventSourceObjOwner.1 = , oraEMNGEventCAJobName.1 = , oraEMNGEventCAJobStatus.1 = , oraEMNGEventCAJobOwner.1 = , oraEMNGEventCAJobStepOutput.1 = , oraEMNGEventCAJobType.1 = , oraEMNGEventRuleSetName.1 = sample_rule_set_name, oraEMNGEventRuleName.1 = sample_rule_set_name,dummy_rule_name, oraEMNGEventRuleOwner.1 = sample_rule_set_owner, oraEMNGEventSequenceId.1 = BFD22554A4E23C37E040E50ADDDE1D71, oraEMNGEventRCADetails.1 = , oraEMNGEventContextAttrs.1 = sample_ctx_1=strVal, sample_ctx_2=67891234567, oraEMNGEventUserComments.1 = , oraEMNGEventUpdates.1 = , oraEMNGEventTypeAttr1.1 = Metric GUID=C00480F615898D2FE040E50ADDDE395C, oraEMNGEventTypeAttr2.1 = Severity GUID=C00480F6158A8D2FE040E50ADDDE395C, oraEMNGEventTypeAttr3.1 = , oraEMNGEventTypeAttr4.1 = , oraEMNGEventTypeAttr5.1 = Metric Group=Program Resource Utilization, oraEMNGEventTypeAttr6.1 = Metric=Program's Max CPU Utilization (%), oraEMNGEventTypeAttr7.1 = Metric Description=Testing metric description, oraEMNGEventTypeAttr8.1 = Metric value=85, oraEMNGEventTypeAttr9.1 = Key Value=The keyValue, oraEMNGEventTypeAttr10.1 = Key Column 1=Program Name, oraEMNGEventTypeAttr11.1 = Key Column 1 Value=%, oraEMNGEventTypeAttr12.1 = Key Column 2=Owner, oraEMNGEventTypeAttr13.1 = Key Column 2 Value=%, oraEMNGEventTypeAttr14.1 = , oraEMNGEventTypeAttr15.1 = , oraEMNGEventTypeAttr16.1 = , oraEMNGEventTypeAttr17.1 = , oraEMNGEventTypeAttr18.1 = , oraEMNGEventTypeAttr19.1 = , oraEMNGEventTypeAttr20.1 = , oraEMNGEventTypeAttr21.1 = , oraEMNGEventTypeAttr22.1 = , oraEMNGEventTypeAttr23.1 = , oraEMNGEventTypeAttr24.1 = Number of keys=2, oraEMNGEventTypeAttr25.1 = , sysUpTime = 0,01 second, experimental.1057.1.0 = 192.168.0.92, snmpTrapEnterprise = ORACLE-ENTERPRISE-MANAGER-4-MIB:oraEM4Traps

Following different Thwack post we have tried the different variable to extract some content, the simplies ssems to be :

${N=SWQL;M=SELECT SUBSTRING('${N=OLM.AlertingMacros;M=OLMAlertMessage.EventMessage}',2,10) AS Message FROM Orion.Nodes n}

This kind of variable give use this output:

${N=SWQL;M=SELECT SUBSTRING('ORACLE-ENTERPRISE-MANAGER-4-MIB:oraEMNGEvent : oraEMNGEventNotifType.1 = NOTIF_NORMAL, oraEMNGEventMessage.1 = This is a sample Event Message to test the SNMP ntofication delivery to the SNMP Manager. The contents of this messages are all sample data., oraEMNGEventMessageURL.1 = https://SampleEMTargetHost:15430/em/redirect?pageType=sdk-core-event-console-detailEvent&issueID=BFD22554A4E23C37E040E50ADDDE1D71, oraEMNGEventSeverity.1 = Critical, oraEMNGEventSeverityCode.1 = CRITICAL, oraEMNGEventRepeatCount.1 = 0, oraEMNGEventActionMsg.1 = This is a sample event action message for SNMP delivery testing., oraEMNGEventOccurrenceTime.1 = May 14, 2012 11:46:27 AM GMT, oraEMNGEventReportedTime.1 = May 14, 2012 11:46:27 AM GMT, oraEMNGEventCategories.1 = Capacity, Security, oraEMNGEventCategoryCodes.1 = Capacity, Security, oraEMNGEventType.1 = Metric Alert, oraEMNGEventName.1 = Program Resource Utilization:Program's Max CPU Utilization (%), oraEMNGAssocIncidentId.1 = , oraEMNGAssocIncidentOwner.1 = , oraEMNGAssocIncidentAcked.1 = No, oraEMNGAssocIncidentStatus.1 = , oraEMNGAssocIncidentPriority.1 = , oraEMNGAssocIncidentEscLevel.1 = , oraEMNGEventTargetName.1 = SampleEMTargetname, oraEMNGEventTargetNameURL.1 = https://SampleEMTargetHost:15430/em/redirect?pageType=TARGET_HOMEPAGE&targetName=SampleEMTargetHost&targetType=host, oraEMNGEventTargetType.1 = Host, oraEMNGEventHostName.1 = SampleEMTargetHost, oraEMNGEventTargetOwner.1 = sysman, oraEMNGEventTgtLifeCycleStatus.1 = Mission Critical, oraEMNGEventTargetVersion.1 = 10.2.0.1, oraEMNGEventUserDefinedTgtProp.1 = , oraEMNGEventSourceObjName.1 = , oraEMNGEventSourceObjNameURL.1 = , oraEMNGEventSourceObjType.1 = , oraEMNGEventSourceObjSubType.1 = , oraEMNGEventSourceObjOwner.1 = , oraEMNGEventCAJobName.1 = , oraEMNGEventCAJobStatus.1 = , oraEMNGEventCAJobOwner.1 = , oraEMNGEventCAJobStepOutput.1 = , oraEMNGEventCAJobType.1 = , oraEMNGEventRuleSetName.1 = sample_rule_set_name, oraEMNGEventRuleName.1 = sample_rule_set_name,dummy_rule_name, oraEMNGEventRuleOwner.1 = sample_rule_set_owner, oraEMNGEventSequenceId.1 = BFD22554A4E23C37E040E50ADDDE1D71, oraEMNGEventRCADetails.1 = , oraEMNGEventContextAttrs.1 = sample_ctx_1=strVal, sample_ctx_2=67891234567, oraEMNGEventUserComments.1 = , oraEMNGEventUpdates.1 = , oraEMNGEventTypeAttr1.1 = Metric GUID=C00480F615898D2FE040E50ADDDE395C, oraEMNGEventTypeAttr2.1 = Severity GUID=C00480F6158A8D2FE040E50ADDDE395C, oraEMNGEventTypeAttr3.1 = , oraEMNGEventTypeAttr4.1 = , oraEMNGEventTypeAttr5.1 = Metric Group=Program Resource Utilization, oraEMNGEventTypeAttr6.1 = Metric=Program's Max CPU Utilization (%), oraEMNGEventTypeAttr7.1 = Metric Description=Testing metric description, oraEMNGEventTypeAttr8.1 = Metric value=85, oraEMNGEventTypeAttr9.1 = Key Value=The keyValue, oraEMNGEventTypeAttr10.1 = Key Column 1=Program Name, oraEMNGEventTypeAttr11.1 = Key Column 1 Value=%, oraEMNGEventTypeAttr12.1 = Key Column 2=Owner, oraEMNGEventTypeAttr13.1 = Key Column 2 Value=%, oraEMNGEventTypeAttr14.1 = , oraEMNGEventTypeAttr15.1 = , oraEMNGEventTypeAttr16.1 = , oraEMNGEventTypeAttr17.1 = , oraEMNGEventTypeAttr18.1 = , oraEMNGEventTypeAttr19.1 = , oraEMNGEventTypeAttr20.1 = , oraEMNGEventTypeAttr21.1 = , oraEMNGEventTypeAttr22.1 = , oraEMNGEventTypeAttr23.1 = , oraEMNGEventTypeAttr24.1 = Number of keys=2, oraEMNGEventTypeAttr25.1 = , sysUpTime = 0,01 second, experimental.1057.1.0 = 192.168.0.92, snmpTrapEnterprise = ORACLE-ENTERPRISE-MANAGER-4-MIB:oraEM4Traps',2,10) AS Message FROM Orion.Nodes n}

The nested variable itself is correctly converted however the main variable remain just as type initially 

${N=SWQL;M=SELECT '....',2,10) AS Message FROM Orion.Nodes n}

I have even tried with some more basic variable:

${N=SWQL;M=SELECT substring('${N=SwisEntity;M=Caption}',3,5)}

 and this give me simply

${N=SWQL;M=SELECT substring('myserverhostname',3,5)}

So that are there any requirement to be able to use nested variable in alerts ?

I have configured my variable in the body of an email and also in the alert message and none of them is working.

i can however used a simply swql and it works like

${N=SWQL;M=SELECT top 1 caption fron orion.nodes n}

 This give me correctly one caption.

Can anyone advice on this ? we definitively like to extract data from SNMP traps for our teams to have some meaningfull alerts.

Cheers

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.