Help with Event Listener Transform Script
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2019 08:26 AM
/* Disclaimer -- I'm a scripting noob, so be gentle. 😉 */
I have events coming into em_event from Logicmonitor via an Event Listner (https:// <instance>.service-now.com/api/global/em/jsonv2). The events are coming over, but not being mapped to the table very well. I started working on a transform script, but the mappings don’t really seem to be working at all. The JSON payload looks like this (it is well formed and ingests properly into em_event without the script):
{ "records":
[
{
"source": "Logicmonitor",
"event_class": "##AGENT_DESCRIPTION##",
"node": "##HOST##",
"resource": "##DataSource##",
"metric_name": "##DPDESCRIPTION##",
"type": "##ALERTTYPE##",
"severity": "##LEVEL##",
"time_of_event": "##DATE##",
"description": "##MESSAGE##",
"additional_info":"{
'alertID': '##ALERTID##',
'alertStatus': '##ALERTSTATUS##',
'dataPoint': '##DATAPOINT##',
'dataSource': '##DataSource##',
'date': '##DATE##',
'dataSourceDescription': '##DSDESCRIPTION##',
'dataSourceInstanceDescription': '##DSIDESCRIPTION##',
'dataPointDescription': '##DPDESCRIPTION##',
'eventSource': '##EVENTSOURCE##',
'group': '##GROUP##',
'host': '##HOST##',
'hostname': '##HOSTNAME##',
'hostDescription': '##HOSTDESCRIPTION##',
'deviceURL': '##DEVICEURL##',
'instance': '##INSTANCE##',
'instanceGroup': '##INSTANCEGROUP##',
'level': '##LEVEL##',
'start': '##START##',
'startEpoch': '##STARTEPOCH##',
'duration': '##DURATION##',
'threshold': '##THRESHOLD##',
'value': '##VALUE##',
'agentID': '##AGENTID##',
'agentDescription': '##AGENT_DESCRIPTION##',
'backupAgentID': '##BACKUPAGENTID##',
'backupAgentDescription': '##BACKUPAGENT_DESCRIPTION##',
'externalTicketID': '##EXTERNALTICKETID##',
'end': '##END##',
'website': '##WEBSITE##',
'checkPoint': '##CHECKPOINT##',
'detail': '##DETAIL##',
'websiteDescription': '##WEBSITEDESCRIPTION##',
'websiteGroup': '##WEBSITEGROUP##',
'url': '##URL##',
'websiteRequest': '##WEBSITEREQUEST##',
'websiteResponse': '##WEBSITERESPONSE##',
'eventCode': '##EVENTCODE##',
'logFile': '##LOGFILE##',
'sourceName': '##SOURCENAME##',
'message': '##MESSAGE##',
'alertType': '##ALERTTYPE##'
}"
}
]
}
The items enclosed by double hashtags are tokens within Logicmonitor.
I've created a listener transform script based off the Azure event script and changed the event listener to https://<instance>.service-now.com/api/global/em/inbound_event?source=logicmonitor. The script is:
(function process(/*RESTAPIRequest*/ request, body) {
gs.info('inside em logicmonitor event processor, body: ' + body + ', headers: ' +
JSON.stringify(request.headers));
var requestBody = JSON.parse(body);
var extra_info = requestBody.additional_info;
var resolutionState = 'New';
var severity = "0";
try
{
severity = requestBody.severity;
if (severity == 'critical') {
severity = '1';
} else if(severity == "major") {
severity = "2";
} else if(severity == "minor") {
severity = "3";
} else if(severity == "warn") {
severity = "4";
} else if(severity == "info") {
severity = "5";
} else if(severity == "ok") {
severity = "0";
resolutionState = 'Closing';
}
//Create the new event record
var gr = new GlideRecord('em_event');
gr.initialize();
// Prepare additional_info JSON
var additional_info = JSON.parse(JSON.stringify(requestBody.additional_info));
additional_info['alertID'] = extra_info.alertID;
additional_info['alertStatus'] = extra_info.alertStatus;
additional_info['dataPoint'] = extra_info.dataPoint;
additional_info['dataSource'] = extra_info.dataSource;
additional_info['date'] = extra_info.date;
additional_info['dataSourceDescription'] = extra_info.dataSourceDescription;
additional_info['dataSourceInstanceDescription'] = extra_info.dataSourceInstanceDescription;
additional_info['dataPointDescription'] = extra_info.dataPointDescription;
additional_info['group'] = extra_info.group;
additional_info['host'] = extra_info.host;
additional_info['hostName'] = extra_info.hostName;
additional_info['hostDescription'] = extra_info.hostDescription;
additional_info['deviceURL'] = extra_info.deviceURL;
additional_info['instance'] = extra_info.instance;
additional_info['instanceGroup'] = extra_info.instanceGroup;
additional_info['level'] = extra_info.level;
additional_info['start'] = extra_info.start;
additional_info['startEpoch'] = extra_info.startEpoch;
additional_info['duration'] = extra_info.duration;
additional_info['threshold'] = extra_info.threshold;
additional_info['value'] = extra_info.value;
additional_info['agentID'] = extra_info.agentID;
additional_info['agentDescription'] = extra_info.agentDescription;
additional_info['backupAgentID'] = extra_info.backupAgentID;
additional_info['backupAgentDescription'] = extra_info.backupAgentDescription;
additional_info['externalTicketID'] = extra_info.externalTicketID;
additional_info['end'] = extra_info.end;
additional_info['website'] = extra_info.website;
additional_info['checkPoint'] = extra_info.checkPoint;
additional_info['detail'] = extra_info.detail;
additional_info['websiteDescription'] = extra_info.websiteDescription;
additional_info['websiteGroup'] = extra_info.websiteGroup;
additional_info['url'] = extra_info.url;
additional_info['websiteRequest'] = extra_info.websiteRequest;
additional_info['websiteResponse'] = extra_info.websiteResponse;
additional_info['eventCode'] = extra_info.eventCode;
additional_info['logFile'] = extra_info.logFile;
additional_info['sourceName'] = extra_info.sourceName;
additional_info['alertType'] = extra_info.alertType;
gr.additional_info = JSON.stringify(extra_info);
gr.event_class = requestBody.agentDescription;
gr.source = requestBody.source;
gr.node = requestBody.host;
gr.type = requestBody.type;
gr.metric_name = requestBody.metric_name;
gr.description = extra_info.message;
gr.time_of_event = requestBody.time_of_event;
gr.severity = severity;
gr.resource = requestBody.resource;
gr.resolution_state = resolutionState;
gr.insert();
}
catch(er){
gs.error(er);
status=500;
return er;
}
return "success";
})(request, body);
System Logs | All shows the JSON payload is making it completely, but there’s a syntax error related to JSON.parse that I haven’t been able to work through.
Am I doing something fundamentally wrong here? Anyone doing something similar successfully?
Thank in advance for any help or thoughts!
John
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2019 09:05 AM
Hi John - you might try removing the spaces from the addition_info construct
{ "records":
[
{
"source": "Logicmonitor",
"event_class": "##AGENT_DESCRIPTION##",
"node": "##HOST##",
"resource": "##DataSource##",
"metric_name": "##DPDESCRIPTION##",
"type": "##ALERTTYPE##",
"severity": "##LEVEL##",
"time_of_event": "##DATE##",
"description": "##MESSAGE##",
"additional_info":"{'alertID': '##ALERTID##', 'alertStatus': '##ALERTSTATUS##', 'dataPoint': '##DATAPOINT##', 'dataSource': '##DataSource##', 'date': '##DATE##', 'dataSourceDescription': '##DSDESCRIPTION##', 'dataSourceInstanceDescription': '##DSIDESCRIPTION##', 'dataPointDescription': '##DPDESCRIPTION##', 'eventSource': '##EVENTSOURCE##', 'group': '##GROUP##','host': '##HOST##', 'hostname': '##HOSTNAME##', 'hostDescription': '##HOSTDESCRIPTION##', 'deviceURL': '##DEVICEURL##', 'instance': '##INSTANCE##', 'instanceGroup': '##INSTANCEGROUP##', 'level': '##LEVEL##', 'start': '##START##', 'startEpoch': '##STARTEPOCH##','duration': '##DURATION##', 'threshold': '##THRESHOLD##', 'value': '##VALUE##', 'agentID': '##AGENTID##', 'agentDescription': '##AGENT_DESCRIPTION##', 'backupAgentID': '##BACKUPAGENTID##','backupAgentDescription': '##BACKUPAGENT_DESCRIPTION##','externalTicketID': '##EXTERNALTICKETID##','end': '##END##', 'website': '##WEBSITE##','checkPoint': '##CHECKPOINT##','detail': '##DETAIL##','websiteDescription': '##WEBSITEDESCRIPTION##','websiteGroup': '##WEBSITEGROUP##','url': '##URL##','websiteRequest': '##WEBSITEREQUEST##','websiteResponse': '##WEBSITERESPONSE##','eventCode': '##EVENTCODE##','logFile': '##LOGFILE##','sourceName': '##SOURCENAME##','message': '##MESSAGE##','alertType': '##ALERTTYPE##'}"
}
]
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2019 12:03 PM
I'm willing to give that a try, but that format is in compliance with the examples in the SN documentation and it's being ingested into the em_event table without errors.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2019 10:59 AM
John,
Have you checked to make sure there are no single or double quotes inside the strings that replace the ##data## elements?
Any chance you can post one of the events that are created in the em_event table without the script?
One other thing to look at is using Postman to push in a super-simplified event (single words for each field) that meets the minimum requirements for your code to run through. This will help you to see if the code is hiccupping on the data, or just errors in your code (doubtful). Then you can start replacing the simple data with the real data, field by field, to find what breaks it.
Steve
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-28-2019 12:02 PM
Here's a SN log entry from the script:
inside em logicmonitor event processor, body: { "records": [ { "source": "Logicmonitor", "event_class": "REDACTED", "node": "REDACTED", "resource": "SSL encrypted http page load time", "metric_name": "", "type": "alert", "severity": "warn", "time_of_event": "2019-01-27 21:28:05 CST", "additional_info":"{ 'alertID': 'LMD1121312', 'alertStatus': 'active', 'dataPoint': 'ResponseTime', 'dataSource': 'HTTPS-443', 'date': '2019-01-27 21:28:05 CST', 'dataSourceDescription': 'SSL encrypted http page load time', 'dataSourceInstanceDescription': '', 'dataPointDescription': '', 'eventSource': '', 'group': 'Devices by Type\/Infosec Devices, Sourcefire\/CSC, Devices by Type\/Linux Servers', 'host': 'REDACTED', 'hostname': 'REDACTED', 'hostDescription': '', 'deviceURL': 'https:\/\/REDACTED.com\/santaba\/uiv3\/device\/index.jsp#tree\/-d-3882', 'instance': '443', 'instanceGroup': '', 'level': 'warn', 'start': '2019-01-27 21:27:16 CST', 'startEpoch': '1548646036000', 'duration': '0h 0m', 'threshold': '> 550', 'value': '555.0', 'agentID': '4', 'agentDescription': 'REDACTED', 'backupAgentID': '0', 'backupAgentDescription': 'none', 'externalTicketID': '0', 'end': '', 'website': '', 'checkPoint': '', 'detail': '', 'websiteDescription': '', 'websiteGroup': '', 'url': '', 'websiteRequest': '', 'websiteResponse': '', 'eventCode': '', 'logFile': '', 'sourceName': '', 'message': 'LMD1121312 warn - REDACTED HTTPS-443 ResponseTime\nThe SSL page on REDACTED is taking 555.0 ms to respond. This puts the host in warn state, as it is longer than the threshold of > 550\nThis has been going on since 2019-01-27 21:27:16 CST - or 0h 0m ago.\r\n\r\nThis alert matches the rule Warning\nAlert now is going to stage 1 recipients: REDACTED(HTTP POST to ServiceNow)', 'alertType': 'alert' }" } ] }, headers: {"authorization":"Basic REDACTED","content-length":"1957","post":"POST","x-forwarded-proto":"https","x-forwarded-host":"REDACTED.com","host":".com","content-type":"application/json; charset=UTF-8","connection":"Keep-Alive","x-forwarded-for":"hrb.service-now","accept-encoding":"gzip","accept":"application/json","user-agent":"okhttp/3.9.1"}