Rule Definition Action Clause
RULE <rule-name> {PRIMARY|SECONDARY} [DISABLED] [<initialization>] <record-clause> [ACTION [WHERE <action-where-clause>] [LOG { PROBLEM_SUMMARY | PROBLEM | EMS | AVAILABILITY <msg-number> ENTITY_NAME <entity-name> ENTITY_TYPE <entity-type> [SUBID1] [SUBID2] [PRIORITY n] [TIMEOUT <seconds>] [EVENT_TYPE { UP_EVENT | DOWN_EVENT }] [REVERSE_COND_TYPE { PAIR | OFF_EVENT_NUM }] [CONDITION_PAIR <pair-name>] [DESTINATION <node>] | FILE <file-name> | PROCESS <proc-name> | SNMPTRAP <msg_number> [VERSION {v1 | v2c | v3}] [HOST <host>] [PORT <port_no>] [COMMUNITY <string>] [AUTHPROTOCOL {MD5 | SHA}] [ENCRYPTION {DES | AES128 | AES192 | AES256 | 3DES} ] | TERMINAL <term-name> | <msg_number> } [PRIORITY { ERROR | WARNING | INFORMATION | CRITICAL}] [EVENTNUMBER <n>] [SUBJECT (<subject1>, <subject2>, ...)] [COLLECTOR <coll-name>] [EMSACTION] [EMSACTIONOFF] {IMMEDIATELY | WHEN_CLOSED} ] [EXEC [#<SERVER>] <n> [NODE <node-name>] [USER <password-key>] [ { IMMEDIATELY | WHEN_CLOSED | WAIT_WHEN_OFF | WAIT [ {AT | TIMEOUT | AT TIMEOUT} {<dd-mmm-yyyy hh:mm> | <mmm-dd-yyyy hh:mm>} ] } [OPER_ACK] [NOLOG] [SHELL_SHARING {ENABLED | DISABLED | DEFAULT}] [START RULE <rule-name>] [WAIT [ AT {<dd-mmm-yyyy hh:mm> | <mmm-dd-yyyy hh:mm>} ] [SET <identifier> := <expression>] [NEXT_RULE_STATE {OPEN | CLOSED} ] END_ACTION] [IF <action-where-clause> [LOG...] [EXEC...] [START RULE...] [SET...] [NEXT_RULE_STATE...] END_IF] END_RULE
Syntax
ACTION | Indicates a set of actions to be taken when the rule triggers. There can be multiple Action blocks within a rule, and each Action block can contain a number of actions. The Action blocks are executed in the order that they appear in the rule. If you have three Action blocks (each with its own Where Clause) the first one will process, then the second, then the third. If the second one contains a NEXT_RULE_STATE CLOSED, and if that second action takes effect, the third action will not execute. Execution of all clauses in the Action block is dependent upon its Where Clause. Only if the Where Clause is satisfied, will the actions be executed. | ||||||||||||||||||||||
WHERE | An <action-where-clause> further narrows down the number of records that the contained actions will be performed on. For further details see the Where Clauses section. Conventional field names are NOT allowed in an <action-where-clause>. Instead, only global variables, local variables, system variables, field variables and literals are accessible. The field variables can include values inherited from higher level rules. For example, if the record associated with the current rule is JOBS and the record associated with the higher level rule is CPU, then the field variables in this Where Clause can come from both the CPU and JOBS fields. The ability to extract values from a string field using 'matches regex' and regular expressions is permitted in the <action-where-clause>. Up to 30 values can be extracted which are placed into system variables named ^var01 through to ^var30. For example; ACTION WHERE @event.text matches regex "(.*)Resource Name: (.*), Specific Problem: ([^,]*),(.*)" SET_Resource :=^var02 SET_Problem :=^var03 END_ACTION In this example two regular expressions are used; ([^,]*) which means 'match anything except a comma (,)' and (.*) which means match anything. See the Using Regular Expressions in a Where Clause section for further details. When comparing timestamps in <where-clause> or <action-where-clause>, there are some special considerations. Especially when one of the timestamps has been stored in a global or local variable. For more information, see Use of Timestamps in Analyst Where Clauses. | ||||||||||||||||||||||
LOG | Use this keyword to cause a message to be logged to one of a number of destinations. PROBLEM_SUMMARY PROBLEM EMS On HPE NonStop, an event will be logged to EMS with a subsystem owner=PRGNOSIS, subsystem name=PRGNOSIS (127) and subsystem-version=<prognosis-ver>. On Windows, an event will be logged to the Application event log with a source of 'Prognosis'. AVAILABILITY This logs to the Availability Collector, which is used to show the UP/DOWN state of monitored entities. Refer to Availability Monitoring. Using complex Analyst rules, entities can be monitored and the state can be shown in the Availability Monitoring feature of Prognosis. <msg-number> - The number entered here corresponds to the number assigned to the text in the Analyst Rules Output. This message number must be less than 32000. ENTITY_NAME <entity-name> - The entity name is any unqiue name up to 60 characters long ENTITY_TYPE <entity-type> - The AvMon entity target type, this can be a threshold or AvMon type (for available entities refer to Monitoring Existing AVMON Entities) SUBID1 and SUBID2 - The SUBID's of the entity. See Availability - Message Destinations Primary and Secondary SubID PRIORITY <n> - The Priority is an integer value specifying the process priority to trigger the up/down event. If two opposing events are trying to trigger an entity up/down the Priority decides which one will be applied. TIMEOUT <seconds> - The timeout integer followed by units (defaults to seconds). Unit Types DAYS, HRS, HOURS, MINS, MINUTES, SECS, SECONDS. See Setting a Threshold Initialization State and Timeout. EVENT_TYPE - This specifies the new state of the entity, can be either UP_EVENT or DOWN_EVENT, defaults to DOWN_EVENT. REVERSE_COND_TYPE - If set to 'Pair' then when this condition is stopped the pair will also stop (This is usually used if your pair is sending the down event to your up event). If 'OFF_EVENT_NUM' then when the specified event stops, a down event is sent. CONDITION_PAIR <pair-name> - Sets which condition to use, <pair-name> can be anything as long as it is the same on the entity you wish to pair to. Only relevant if REVERSE_COND-TYPE is set to PAIR. DESTINATION <node> - Specifies which node the entity will be triggered on. FILE PROCESS SNMPTRAP VERSION - Version of SNMP to send. Valid values are v1, v2c or v3. HOST - A host name is required which is the node name where the Traps will be delivered to and this can be entered as either a valid DNS name or IP address. PORT - Optional port number which is used to deliver the SNMP Trap, if not included the default is 162. COMMUNITY - (Applicable for SNMP v1 and v2c only) Optional community string, if not included the default is 'public'. AUTHPROTOCOL - (Applicable for SNMP v3 only) SNMP authentication protocol to use. Valid values are MD5 or SHA. Note that using MD5 is not FIPS compliant. ENCRYPTION - (Applicable for SNMP v3 only) Encryption method to use. Valid values are DES, AES, AES128, AES192, AES256 or 3DES. These SNMPTRAP settings can be included with the SNMPTRAP statement or they can be added as Global parameters in the Analyst Rule Configuration and Global Variables. However, if they are included in the SNMPTRAP statement any Global parameters will be overwritten. The SUBJECT statement can be used with the SNMPTRAP statement to add Variable Bindings which will allow logging to select a set of fields to be recorded when the SNMP Trap is sent out. The TRAP severity can be set by using the PRIORITY statement. Notes for SNMP Usage: 1) Prior to version 11.1, Analysts could only send SNMP v1 Traps. Effective with version 11.1, Analysts can send v1, v2c or v3 Traps. However, if no SNMP options are entered, the default configuration remains as v1 sending to 127.0.0.1 (localhost) on port 162. 2) If FORCE-FIPS-ENCRYPTION is enabled in the NETWORK Configuration, then the following SNMP restrictions will apply:
3) SNMP v3 requires the applicable username and password to be added to the PASSWORDS Configuration on the server that the Analyst runs. To do this the following entries are used: autoan:authentication:<ip-address>:<port> Where <ip-address> is the server running SNMP v3 and <port> is the port used for SNMP access. Where applicable, separate PASSWORD Configuration entries are required for each SNMP v3 server. That is, a hierarchy of password entries is not supported. TERMINAL <msg_number> PRIORITY
EVENTNUMBER <n> SUBJECT The SUBJECT statement can also be used with the EMS log type on HPE NonStop. Specifies a list of subjects to be included in the logged message. <subject> is specified in the form [<record-name>.]<field-name> (with no leading @). For example, SUBJECT (cpu.cpuno,cpu.busy) These subjects will be logged as separate tokens in the resultant EMS event. <subject> must refer to a field in the record requested by the local rule. Only key fields are permitted in WHEN_CLOSED messages. No subjects are permitted in NOTEXIST rules. COLLECTOR EMSACTION EMSACTIONOFF IMMEDIATELY|WHEN_CLOSED | ||||||||||||||||||||||
EXEC | Use this keyword to send a command to a Prognosis command server. #<SERVER>
The command text is referenced by the < n > parameter that identifies the command text's ID in the MSG_TEXT section. NODE <node-name> USER <password_key> IMMEDIATELY WHEN_CLOSED WAIT_WHEN_OFF WAIT OPER_ACK Pre-packaging documents offer the following operator options for OPER_ACK:
NOLOG SHELL_SHARING | ||||||||||||||||||||||
START RULE | Calls the next level of problem solving. Specify the name of a Secondary rule that is to be invoked at this stage. You can use the same WAIT and WAIT AT options when starting Secondary rules as you can for the EXEC keyword. | ||||||||||||||||||||||
SET | Use this keyword to set the value of a local or global variable. <identifier> <expression> For NUMERIC variables, these contain an arithmetic expression consisting of numeric literals and/or local, global, field or system variables. SET Functions There are 2 functions that can be used within the <expression>;
| ||||||||||||||||||||||
NEXT_RULE_STATE | Indicates whether the current rule will be considered open or closed after this action is performed. When set to CLOSED, processing will drop out of this rule without executing any more statements. The default is OPEN, which has no effect. | ||||||||||||||||||||||
IF | This is an alternative syntax for specifying an ACTION block. As the <action-where-clause> statement must be specified with the IF keyword, the WHERE option is not supported inside the IF/END_IF block. All other ACTION options (e.g. LOG, EXEC, START RULE, SET and NEXT_RULE_STATE) are valid and operate exactly the same way as when specified in an ACTION/END_ACTION block. Also note that the <action-where-clause> is not optional when the IF keyword is used. |
Examples
Example 1
Use the MSG to concatenate a string longer than 240 characters
SET _alrtst1 := subst("TRIG: ^srcnode Capacity Workload Alert CPU RunQ @_RunQue@ and is ABOVE the threshold value of @_P5100c_HiThr_g@.") SET _alrtst2 := subst("CPUQueue=@NTSYSTEM.PROCQUE@, Processes=@NTSYSTEM.NUMPROC@, Threads=@NTSYSTEM.NUMTHRD@, ContSwitch=@NTSYSTEM.CONTEXSW@, rSec=@NTSYSTEM.READOPS@, rMBSec=@NTSYSTEM.READMB@, wSec=@NTSYSTEM.WRITOPS@, wMBSec=@NTSYSTEM.WRITEMB@") SET _alrtst3 := subst("This field will be updated by output of S005_GETNTCPUDATA!") SET _alrtst4 := subst(".") SET _alrtst5 := subst("Triggered after 2 Occurrences in 5 minutes") SET _alrtst6 := subst("Capacity_Alert_ON Wintel_Alert") !THEN In the Message Section use the following to get a very long string. MSG 9111 "@_alrtst1@ @_alrtst2@ @_alrtst3@ @_alrtst4@ @_alrtst5@ @_alrtst6@"
Example 2
Numeric cast example using RegEx
SECTION CONFIG ! Note Variables only have 8 significant characters and ! cannot be Greater than 23 characters. !Numeric Integers NUMERIC _g_year[0] := 0 NUMERIC _g_mon[0] := 0 NUMERIC _g_day[0] := 0 NUMERIC _g_hour[0] := 0 NUMERIC _g_min[0] := 0 END_SECTION SECTION RULE_DEF RULE test PRIMARY STRING _MsgText STRING _HoldTime !Numeric Floats NUMERIC _year [4] := 0.0000 NUMERIC _month [4] := 0.0000 NUMERIC _day [4] := 0.0000 NUMERIC _hour [4] := 0.0000 NUMERIC _minute[4] := 0.0000 RECORD PSTATUS WHERE PSTATUS.type = "PROMGR" REFRESH 10 seconds EVERY 10 MINUTES ACTION set _HoldTime := subst( "^currtime") END_ACTION ACTION WHERE HoldTime matches regex "(\d\d\d\d)(\d\d)(\d\d)(.)(\d\d)(.)(\d\d)(.)(\d\d)" SET _Year := ^var01 SET _Month := ^var02 SET _Day := ^var03 SET _Hour := ^var05 SET _Minute := ^var07 SET _MsgText := subst( "@_Year@/@_Month@/@_Day@ @_Hour@:@_Minute@") LOG problem 00200 IMMEDIATELY SET _g_Year := _Year * 10000 SET _g_mon := _Month * 10000 SET _g_day := _Day * 10000 SET _g_hour := _Hour * 10000 SET _g_min := _Minute * 10000 END_ACTION ACTION SET _MsgText := subst( "@_g_Year@/@_g_mon@/@_g_day@ @_g_hour@:@_g_min@") LOG problem summary 00200 IMMEDIATELY END_ACTION END_RULE END_SECTION SECTION MSG_TEXT MSG 00200 "@MsgText@" END_SECTION