How To Modify Extracted Variables¶
This How-To is intended to help you creating rules that modify extracted variables to simplify their usage by the Rule’s Actions.
Understanding the Use Case¶
We want to set the monitoring status of the windows_host Host as
reaction to a Tornado Event. To achieve this, we need to call the Icinga
API by using the very same hostname; nevertheless, in some cases, the
incoming events could contain the hostname in uppercase.
We can consider this Event as example:
{
"type":"snmptrapd",
"created_ms":"1553765890000",
"payload":{
"protocol":"UDP",
"src_ip":"127.0.1.1",
"src_port":"41543",
"dest_ip":"127.0.2.2",
"hostname": "WINDOWS_HOST"
}
}
In this case, to correctly match our Host when calling the Icinga API,
we need to process the ${event.payload.hostname} value transforming
it before it is sent.
Creation of an extractor Rule¶
To achieve our objective we will use a WITH clause with some
modifiers_post:
{
"WITH": {
"hostname": {
"from": "${event.payload.hostname}",
"regex": {
"match": ".*",
"group_match_idx": 0
},
"modifiers_post": [
{
"type": "Lowercase"
}
]
}
}
}
This WITH clause creates an extracted variable hostname that: -
is initially populated with the string WINDOWS_HOST extracted from
the payload; - then, has its value altered by the Lowercase modifier
that sets it to windows_host
From this point, the lowercased variable can be used by the Rule’s
action with the usual path expression ${_variables.hostname}.
So, the full rule could be:
{
"name": "my_extractor",
"description": "",
"continue": true,
"active": true,
"constraint": {
"WHERE": null,
"WITH": {
"hostname": {
"from": "${event.payload.hostname}",
"regex": {
"match": ".*",
"group_match_idx": 0
},
"modifiers_post": [
{
"type": "Lowercase"
}
]
}
}
},
"actions": [
{
"id": "icinga2",
"payload": {
"icinga2_action_name": "process-check-result",
"icinga2_action_payload": {
"exit_status": "1",
"plugin_output": "",
"filter": "host.name==\"${_variables.hostname}\"",
"type": "Host"
}
}
}
]
}
