Hi,
I have got a rule that matches in case a SNMP trap arrives with high CPU load. It works as expected.
The rule should cancel the warning state, if the other trap arrives with appropriate OID. Both traps are almost identical, OIDs are different of course. But the cancelling doesn’t work.
Let me show you how the rule is configured:
RuleID: nsCPULoad
Text to match: 5951.4.1.1.41.1.0: (\d+), .*.5951.4.1.10.2.1.0: (\d+),
Match syslog application (tag): 1.3.6.1.4.1.5951.1.1.0.51$
Syslog application to cancel event: 1.3.6.1.4.1.5951.1.1.0.52$
Rewrite message text: Average CPU load of \1% detected, threshold is \2%
2020-07-07 17:03:05,374 [20] [cmk.mkeventd.EventServer] found canceling event
2020-07-07 17:03:05,375 [20] [cmk.mkeventd.EventServer] matching groups:
{‘match_groups_message’: False,
‘match_groups_message_ok’: (u’28’, u’35’),
‘match_groups_syslog_application’: False,
‘match_groups_syslog_application_ok’: ()}
2020-07-07 17:03:05,375 [20] [cmk.mkeventd.EventServer] Rule ‘network01/nsCPULoad’ hit by message snmptrap/notice - ‘Uptime: 15 days, 16 hours, 43 min, 1.3.6.1.6.3.18.1.3.0: 0.0.0.0, 1.3.6.1.6.3.18.1.4.0: public, 1.3.6.1.6.3.1.1.4.3.0: 1.3.6.1.4.1.5951.1.1, 1.3.6.1.4.1.5951.4.1.1.41.1.0: 28, 1.3.6.1.4.1.5951.4.1.10.2.2.0: 35, 1.3.6.1.4.1.5951.4.1.1.2.0: 10.10.10.2’.
2020-07-07 17:03:05,375 [20] [cmk.mkeventd.EventStatus] Do not cancel event 15415: match group number 1 does not match (43 != 28)
A brief explanation:
43 is the CPU value of the warning event.
28 is the new value, which should cancel the warning.
35 is the threshold for normal CPU load.
I get both values from the text message to rewrite the text to a “understandable” one. And of course, the CPU values are different in this case, it is normal.
I have modified the text message by removing braces completely (no groups to use at all), but this makes the text message quite unreadable.
Any ideas, how to rewrite the text message using “variable” values and make the cancellation work?
