[Check_mk (english)] Event Console: cancelling Events

Hi,

While working with Event Console rules I have now the following situation:

Rule:
* Text to match: "Alert bigloss is active for (.*)"
* Text to cancel event: "Alert noloss is active for .*"

An event arrives:
"Feb 12 05:20:00 monserver1 smokeping[19631]: Alert bigloss is active for
Server1"
-> Rule matches, event is created

A second event arrives:
"Feb 12 05:25:00 monserver1 smokeping[19631]: Alert bigloss is active for
Server2"
-> Rule matches, event is updated with a second entry

Now, a third event arrives:
"Feb 12 05:40:00 monserver1 smokeping[19631]: Alert noloss is active for
Server1"
-> Rule matches and finds the text to cancel the event. But now both events
are canceled and not only the one for "Server1"

How can I make a rule, which just cancels the event corresponding to the exact
line?
I think it should be something like: Text to cancel event: "Alert noloss is
active for \1"
Is this possible?

Cheers,
Tobias

Hi Tobias,

Hi,

While working with Event Console rules I have now the following situation:

Rule:
* Text to match: "Alert bigloss is active for (.*)"
* Text to cancel event: "Alert noloss is active for .*"

You need to bracket the (.*) also here!
* Text to cancel event: "Alert noloss is active for (.*)"

The way the Event Console can match both events!