Hello All,
This is a question about Event Management rules. I am trying to understand if it is possible to make changes to event management rules using XML export and import?
I have written a lot of very specific rules to map event severities based on which customer or type or source the alert came from. Similarly, I change message_key based on various other details in additional_info, so was wondering if I can export XML of event rules (after applying a filter) and then do a search / replace for values and then import the XML file back in.
So far, I haven't been successful, because when I export a rule.. the XML of it shows me event filter part of the rule but doesn't show me the transform / compose part of the rule. At least that is my current conclusion. Or the code is there but I am not seeing it.
For example - if I export the Nagios - IIS rule, I can see the event filter to match , as below.
<?xml version="1.0" encoding="UTF-8"?>
<unload unload_date="2018-03-13 13:40:20">
<em_match_rule action="INSERT_OR_UPDATE">
<active>true</active>
<additional_info_filter>{"conditions":[]}</additional_info_filter>
<bind>true</bind>
<bind_type>2</bind_type>
<ci_type>cmdb_ci_microsoft_iis_web_server</ci_type>
<close_alert_freq>1</close_alert_freq>
<close_alert_int>120</close_alert_int>
<close_alert_op/>
<close_alert_value/>
<create_alert_freq>1</create_alert_freq>
<create_alert_int>120</create_alert_int>
<create_alert_op>NULL</create_alert_op>
<create_alert_value/>
<description/>
<event_class>Nagios</event_class>
<event_data>{"additionalInfoFields":[{"name":"UTC_TimeOfEvent","value":"2017-01-23 09:40:33","simpleMode":"","label":"UTC_TimeOfEvent","mapping":[],"regex":""},{"name":"instance_id","value":"v-w2k12-crm.qa.test","simpleMode":"","label":"instance_id","mapping":[],"regex":""},{"name":"name","value":"IIS Web Server","simpleMode":"","label":"name","mapping":[],"regex":""}],"rawFields":[{"name":"description","value":"connect to address v-w2k12-crm.qa.test and port 12489: Connection refused","simpleMode":"","label":"Description","mapping":[],"regex":""},{"name":"node","value":"v-w2k12-crm.qa.test","simpleMode":"disabled","label":"Node","mapping":[{"fieldToMap":{"name":"server_name","label":"server_name"},"start":0,"end":10}],"regex":"([^\\.]*)\\..*"},{"name":"type","value":"IIS Web Server","simpleMode":"","label":"Type","mapping":[],"regex":""},{"name":"resource","value":"","simpleMode":"","label":"Resource","mapping":[],"regex":""},{"name":"message_key","value":"v-w2k12-crm.qa.test_IIS Web Server","simpleMode":"","label":"Message key","mapping":[],"regex":""},{"name":"severity","value":"1","simpleMode":"","label":"Severity","mapping":[],"regex":""},{"name":"metric_name","value":"IIS Web Server","simpleMode":"","label":"Metric Name","mapping":[],"regex":""},{"name":"event_class","value":"NagiosXI","simpleMode":"","label":"Source instance","mapping":[],"regex":""},{"name":"source","value":"Nagios","simpleMode":"","label":"Source","mapping":[],"regex":""},{"name":"resolution_state","value":"New","simpleMode":"","label":"Resolution state","mapping":[],"regex":""},{"name":"ci_type","value":"","simpleMode":"","label":"CI type","mapping":[],"regex":""}],"hasChanged":true,"expressions":[{"name":"server_name","value":"v-w2k12-crm","label":"server_name","mapping":[]}]}</event_data>
<filter table="em_event">type=IIS Web Server^nodeMATCH_RGX([^^\.]*)\..*^EQ<item goto="false" or="false" field="type" endquery="false" value="IIS Web Server" operator="=" newquery="false"/>
<item goto="false" or="false" field="node" endquery="false" value="([^\.]*)\..*" operator="MATCH_RGX" newquery="false"/>
<item goto="false" or="false" field="" endquery="true" value="" operator="=" newquery="false"/>
</filter>
<identification_rules>[]</identification_rules>
<ignore_event>false</ignore_event>
<metric/>
<name>Nagios - IIS</name>
<order>100</order>
<rule_mapping_counter>0</rule_mapping_counter>
<rule_version>jakarta</rule_version>
<simple_filter>{"compound_type":"or","subpredicates":[{"compound_type":"and","subpredicates":[{"subpredicates":[{"field":{"name":"type","value":"IIS Web Server","choices":[],"label":"Type"},"fieldType":"string","operator":{"name":"=","editor":"field","advancedEditor":"string","label":"is"}},{"field":{"name":"node","value":"([^^\\.]*)\\..*","choices":[],"label":"Node"},"fieldType":"string","operator":{"name":"MATCH_RGX","editor":"string","advancedEditor":"string","label":"matches regex"}}],"compound_type":"and"}]}]}</simple_filter>
<sys_created_by>admin</sys_created_by>
<sys_created_on>2017-01-25 09:23:20</sys_created_on>
<sys_domain>global</sys_domain>
<sys_domain_path>/</sys_domain_path>
<sys_id>7104ced193203200c7a7b67a357ffb38</sys_id>
<sys_mod_count>3</sys_mod_count>
<sys_overrides display_value=""/>
<sys_updated_by>admin</sys_updated_by>
<sys_updated_on>2017-01-25 14:48:15</sys_updated_on>
<table>em_event</table>
<threshold>false</threshold>
<threshold_alert_template display_value=""/>
<transform>true</transform>
</em_match_rule>
</unload>I am not seeing the following XML for the following screen -
Can someone please point me in the right direction here?
Not a critical issue but it is tedious to manually go into each event rule via the designer and make changes one at a time. It would be nice to make changes based on search / replace at times, though I can see it could be dangerous, if errors are made.
Anyways.. let me know. Thanks! for reading.
Regards,
Dan
