ITOM Event Rules Regex for expressions

Go to solution
boey007
Kilo Contributor

‎04-22-2020 09:25 AM

Hello all,

I hope you can help me overcome something which in the face of it seems an trivial issue.

I am creating a new event rule from the 'create event rule' wizard  and in the transform section want to extract a value using regex to populate in my alert output. The source information is in the event input, additional information field.

My field content is

{"version":"0","id":"ae757f3a-1111-ddee-ac65-f7d2ea76ce2f","detail-type":"EC2 Instance State-change Notification","source":"aws.ec2","account":"675031479010","time":"2020-04-09T13:20:19Z","region":"us-east-1","resources":["arn:aws:ec2:us-east-1:435031421121:instance/i-04b42e0f4cssde3d2"],"detail":{"instance-id":"i-04b42e0f4c4dc5532","state":"running"}}

I want to extract the instance-id value from the content.

My Regex is

"instance\-id":"(.*)",

which verifies as correct on regex101 tester and returns the instance-id value in group1 which is assigned to the expression variable.

On testing the rule condition all that is returned is <<UNKNOWN>> which i understand to be a failure to get the information.

Thanks for any assistance in advance. 

Labels:
0 Helpfuls
  • 4,340 Views
1 ACCEPTED SOLUTION

Go to solution
patrickkenney
Kilo Expert

‎04-23-2020 07:33 AM

Thanks Ryan. I stand corrected.

 

Below is one way to get the result you are looking for.

 

While displaying an Event with the contents in the format you expect, select "Create Event Rule" in the upper right. This will open an Event Rule Wizard that keeps the event contents available to use. If you had properly formatted JSON in the Additional Information, those key value pairs will be listed as available variables under the Event Input section. Below is the result using your example

 

find_real_file.png 

 

The "detail" variable above is now available to be used in a regex. This can be done clicking on the variable and using the regex tool to highlight the data to extract. You can also create the regex on this screen as well.

find_real_file.png

 

When using this wizard I have found it neccessary to create "Null" variables to account for any globing that is needed.

 

The resulting regex can be viewed using the editing toggle "</>" in the upper right of this window. It will display the regex created from the highlighting.

find_real_file.png

Note - If you update the regex on this screen you will lose the ability to use the highlighting method.

The above results in a variable called instance_ID that can be used in your rule where needed. It will be displayed under the Expressions section with the result from the data used in the Event Rule creation

find_real_file.png

 

For testing I added the instance_ID to the description.

find_real_file.png

 

The resulting Alert when sending a new event that matches this rule displays the description field with the Instance ID in it.

 

find_real_file.png

 

View solution in original post

Preview file
5 KB
Preview file
17 KB
Preview file
23 KB
Preview file
5 KB
Preview file
44 KB
Preview file
18 KB
8 REPLIES 8

Go to solution
patrickkenney
Kilo Expert

‎04-22-2020 12:33 PM

The Additional Information field is not available to be parsed using an Event Rule. If the inbound event is properly formatted json then the Key Value pairs are available by referencing the name. In your example the value you are looking for is in the Key value pair:

"detail":{"instance-id":"i-04b42e0f4c4dc5532","state":"running"}

This Name is "detail" and the contents is another set of json fields"{"instance-id":"i-04b42e0f4c4dc5532","state":"running"}" 

I am not aware of a way to use an event rule to extract data contained within a key value pair in the Additional Information field. 

Are the events arriving via the standard Event Table API or a custom API? If they are using the standard Event API then you will need to address this on the sending end. If you are using a custom REST API then you can add code to parse the "detail" contents to populate the additional Information with standard json pairs that can be called in an Event Rule.

 

Go to solution
Ryan Zulli
ServiceNow Employee
ServiceNow Employee
In response to patrickkenney

‎04-23-2020 06:26 AM

I can confirm what patrick says above, we will split each of name/value pairs out as available attributes in the transform/compose section of an Event Rule.  I tested with the example you provided, and inside the event rule, details was split out with a value of {"instance-id":"i-04b42e0f4c4dc5532","state":"running"}

we can then use regex on this value :: 

.*instance-id=(.*),.*

which you can then use/assign to a field on the alert.

Hope this helps.

Thanks,

-Ryan

 

Go to solution
patrickkenney
Kilo Expert

‎04-23-2020 07:33 AM

Thanks Ryan. I stand corrected.

 

Below is one way to get the result you are looking for.

 

While displaying an Event with the contents in the format you expect, select "Create Event Rule" in the upper right. This will open an Event Rule Wizard that keeps the event contents available to use. If you had properly formatted JSON in the Additional Information, those key value pairs will be listed as available variables under the Event Input section. Below is the result using your example

 

find_real_file.png 

 

The "detail" variable above is now available to be used in a regex. This can be done clicking on the variable and using the regex tool to highlight the data to extract. You can also create the regex on this screen as well.

find_real_file.png

 

When using this wizard I have found it neccessary to create "Null" variables to account for any globing that is needed.

 

The resulting regex can be viewed using the editing toggle "</>" in the upper right of this window. It will display the regex created from the highlighting.

find_real_file.png

Note - If you update the regex on this screen you will lose the ability to use the highlighting method.

The above results in a variable called instance_ID that can be used in your rule where needed. It will be displayed under the Expressions section with the result from the data used in the Event Rule creation

find_real_file.png

 

For testing I added the instance_ID to the description.

find_real_file.png

 

The resulting Alert when sending a new event that matches this rule displays the description field with the Instance ID in it.

 

find_real_file.png

 

Preview file
5 KB
Preview file
17 KB
Preview file
23 KB
Preview file
5 KB
Preview file
44 KB
Preview file
18 KB

Go to solution
boey007
Kilo Contributor
In response to patrickkenney

‎04-23-2020 08:50 AM

Hi Patrick/Ryan,

Thanks for both your inputs. Happy to say I have resolved this now with assistance from both of you. 

Thanks to you both. Case solved.

Take Care

0 Helpfuls