User Guide

How To Modify Extracted Variables

This How-To is intended to help you creating rules that modify extracted variables to simplify their usage by the Rule’s Actions.

Understanding the Use Case

We want to set the monitoring status of the windows_host Host as reaction to a Tornado Event. To achieve this, we need to call the Icinga API by using the very same hostname; nevertheless, in some cases, the incoming events could contain the hostname in uppercase.

We can consider this Event as example:

{
   "type":"snmptrapd",
   "created_ms":"1553765890000",
   "payload":{
      "protocol":"UDP",
      "src_ip":"127.0.1.1",
      "src_port":"41543",
      "dest_ip":"127.0.2.2",
      "hostname": "WINDOWS_HOST"
   }
}

In this case, to correctly match our Host when calling the Icinga API, we need to process the ${event.payload.hostname} value transforming it before it is sent.

Creation of an extractor Rule

To achieve our objective we will use a WITH clause with some modifiers_post:

{
 "WITH": {
   "hostname": {
     "from": "${event.payload.hostname}",
     "regex": {
       "match": ".*",
       "group_match_idx": 0
     },
     "modifiers_post": [
       {
         "type": "Lowercase"
       }
     ]
   }
 }
}

This WITH clause creates an extracted variable hostname that: - is initially populated with the string WINDOWS_HOST extracted from the payload; - then, has its value altered by the Lowercase modifier that sets it to windows_host

From this point, the lowercased variable can be used by the Rule’s action with the usual path expression ${_variables.hostname}.

So, the full rule could be:

{
  "name": "my_extractor",
  "description": "",
  "continue": true,
  "active": true,
  "constraint": {
    "WHERE": null,
    "WITH": {
      "hostname": {
        "from": "${event.payload.hostname}",
        "regex": {
          "match": ".*",
          "group_match_idx": 0
        },
        "modifiers_post": [
          {
            "type": "Lowercase"
          }
        ]
      }
    }
  },
  "actions": [
    {
      "id": "icinga2",
      "payload": {
        "icinga2_action_name": "process-check-result",
        "icinga2_action_payload": {
          "exit_status": "1",
          "plugin_output": "",
          "filter": "host.name==\"${_variables.hostname}\"",
          "type": "Host"
        }
      }
    }
  ]
}