...
Code Block |
---|
'policy' => { '1' => { IF => 'node.customer eq "important"', THEN => { # a sub-policy '10' => { IF => 'node.roleType eq "core" and event.event =~ qr{Down}', THEN => ['log.disaster()', AND 'escalate.twentyfourseven()'], # the recommended format for specifying actions is a list BREAK => 'true' }, '20' => { IF => 'node.roleType eq "distribution" and event.event =~ qr{Down}', THEN => 'priority(+2) AND email(admin)', # do avoid this legacy single-string format! BREAK => 'false' }, BREAK => 'false' }, '2' => ... }, |
...
The IF expression is basically any arbitrary Perl expression, but tokens of the form event.<name>
, node.
name <name>
or node
macro.
name <name>
are substituted with the respective event or /node/macro property value. The special wildcards event.any
and node.any
are Macro properties are defined in the configuration file opCommon.nmis
in the section macro
.
The special wildcards event.any
and node.any
are replaced by a logical true value. Furthermore, tokens that match extdb.queryname.column
match enrich.<extdb>.<queryname>.<column>
will be substituted with the result of an external enrichment query. In opEvents 3 all Perl operators, parentheses and so on can be used in IF expressions.
If your IF expression does require text that could be misinterpreted as a substitution token (e.g. the "Nr.1"
in IF => 'event.details eq "NTP Server Nr.1"'
), then you should escape the dotted expression with a backslash (e.g. "NTP Server Nr\.1"
). Please note that in versions before 2.2.2, any misidentified unparseable tokens were flagged as errors and were not included in the final expression to be tested.In version 2.2 and newer, tokens of the form macro.macroname
are also substituted by the value of the named macro (which can be defined in the configuration file opCommon.nmis
in the section macro
NTP Server Nr\.1"
).
Please note that for maximum robustness you should express any regular expression in IFs as /regexp contents/
or qr{regexp contents
}, NOT as "regexp contents": the doublequoted variant only works for very simple patterns.
...
The THEN clause is executed if and only if the IF expression evaluates as true (ie. non-zero, non-blank, defined). The THEN clause contains either
- a nested sub-policy,
- or a list of one or more action invocations,
- or a single string that specifies any number of action invocations separated by the token "
AND
" (space, AND, space).
This legacy format should be avoided. Providing a list of actions is both more robust and faster.
The order of action invocations is relevant, but the token " AND
" is just a separator: all : A
ll given actions in a THEN
clause will be executed regardless of success or failure of prior ones.
All action invocations follow the same patterns: actionname(argument)
, actionname.subtype()
or actionname.subtype(argument)
. The Please note that the empty set of parentheses must not be omitted.
Policy evaluation starts at the outermost policy level, and proceeds in order of the numeric rule identifiers. All rules on the same nesting level are evaluated one after the other, unless a successful rule has its BREAK option set to true: in this case the rules after the successful one are skipped. No BREAK option present is interpreted as BREAK is false.
...