Transforms - Escalate by Count

From Zenoss Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

Warning: Making external calls (e.g. the calls in this example to zep.getEventSummaries) in Event transforms can have a very significant negative impact to your event throughput. Such calls should be avoided to the extent possible

The following transform will escalate an event's severity to critical if it has occurred more than three times in a row without clearing.

This example is nearly twice as long as it would ordinarily need to be because it is compatible with Zenoss 3 and Zenoss 4. The event management system, and therefore the way we look up the current count for the incoming event changed drastically between these versions.

# Initialize existing_count.
existing_count = 0
# Prefix for fingerprint (dedupid).
dedupfields = [evt.device, evt.component, evt.eventClass]
if 'getFacade' in globals() and getFacade('zep'):
    # Zenoss >=4 method.
    if getattr(evt, 'eventKey', False):
        dedupfields += [evt.eventKey, evt.severity]
        dedupfields += [evt.severity, evt.summary]
    zep = getFacade('zep')
    evt_filter = zep.createEventFilter(
        fingerprint='|'.join(map(str, dedupfields)))
    summaries = zep.getEventSummaries(0, 1, filter=evt_filter)
    if summaries['total']:
        existing_count = list(summaries['events'])[0]['count']
    # Zenoss <4 method.
    if getattr(evt, 'eventKey', False):
        dedupfields += [evt.eventKey, evt.severity]
        dedupfields += [evt.eventKey, evt.severity, evt.summary]
    em = dmd.Events.getEventManager()
        db_evt = em.getEventDetail(dedupid='|'.join(map(str, dedupfields)))
        existing_count = db_evt.count
    except Exception:
# Do what you like with the count and event;
# In this example we up the severity to CRITICAL if the count is > 3
if existing_count > 3:
    evt.severity = 5