Transforms - Escalate by Count in a Time Window

From Zenoss Wiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

The following example adds another wrinkle to the Transforms - Escalate by Count example. In this case we only want to escalate the severity of the event if the count has exceeded 3 within an hour.

dedupfields = [evt.device, evt.component, evt.eventClass]
 
if getattr(evt, 'eventKey', False):
    dedupfields += [evt.eventKey, evt.severity]
else:
    dedupfields += [evt.severity, evt.summary]
 
zep = getFacade('zep')
evt_filter = zep.createEventFilter(
    status=(0,1,2),
    fingerprint='|'.join(map(str, dedupfields)))
 
summaries = zep.getEventSummaries(0, limit=1, filter=evt_filter)
 
# Turn the events generator into a list. This consumes the generator so
# summaries['events'] will be empty after this.
events = list(summaries['events'])
 
if summaries['total']:
    import time
 
    existing_count = events[0]['count']
    first_time = events[0]['first_seen_time'] / 1000.0
 
    # Close the existing event if it was first seen more than an hour ago.
    if first_time < time.time() - 3600:
 
        # We close based on what amounts to the auto-clear fingerprint so that
        # the escalated and non-escalated events all get cleared.
        zep.closeEventSummaries(
            eventFilter=zep.createEventFilter(
                element_identifier=evt.device,
                element_sub_identifier=evt.component,
                event_class=evt.eventClass,
                event_key=evt.eventKey))
 
    # Otherwise, increase the severity to CRITICAL if the count is > 3
    elif existing_count > 3:
        evt.severity = 5