Help! struggling to resolve alerts based on custom email integration rule

questions
email-management

(Mohsin Patel) #1

Hi

Ive been struggling for many hours now in trying to set up custom rules for emails coming in from Oracle OEM.

A trigger email subject would look like this:
EM Event: Critical:DW21 - Tablespace [TS_IDX_PRESENTATION] is [95.005 percent] full
or
EM Event: Warning:DW21 - Tablespace [TS_IDX_PRESENTATION] is [90.010 percent] full

A clear email subject would look like this:
EM Event: Clear:DW21 - Tablespace [TS_IDX_PRESENTATION] is [65.005 percent] full

The part above in bold is the key i am using to dedupe as this what would uniquely identify a particular tablespace on a particular database. the DW21 part is variable, and the TS_IDX_PRESENTATION part is also variable.

Here are my trigger and resolve rules:

Trigger an alert if any of the following conditions apply
The email subject contains "Warning"
The email subject contains "Critical"
Deduplicate based on the alert key found by matching the regular expression /(\w{3,8}.-.Tablespace.[\w{1,30}])/ against the email subject
Resolve an alert if any of the following conditions apply
The email subject contains "Clear"
Deduplicate based on the alert key found by matching the regular expression /(\w{3,8}.-.Tablespace.[\w{1,30}])/ against the email subject

For some reason it just wont match the clear with the triggered alert. please help!! Am i doing something obvious thats wrong?


(Demitri Morgan) #2

Hi Moshin,

A few things:

Firstly, I presume that in your regular expression the square brackets are actually escaped (prefixed with backslashes), and they’re not showing up in your post because of Markdown rendering? (Square brackets are regex metacharacters, as I’m sure you’re aware.)

Secondly, you don’t have slashes in the actual input on the email management rules page, correct? The boundary characters are not necessary; the content should just be the expression itself to use for matching.

With those two things in consideration (the regex looks fine otherwise), I tried it in my own account and the deduplication key was properly extracted. I was thus able to open and resolve incidents with emails having the subjects as provided here.

In both the trigger and resolve rules for regex to match against the subject, I used (verbatim):

(\w{3,8}.-.Tablespace.\[\w{1,30}\])

(Mohsin Patel) #3

Hi Dimitri,

Thanks for your response. Just by you sayng that the same regex worked for you got me thinking, and i have now managed to resolve the issue.

Basically, i didnt include a key piece of information in my original post - which is that i have multiple rules. I had incorrectly set up two clear rules (for different types of subject headers) - however i had set them both up to just check for email subject of ‘Clear’. therefore only my first clear rule was being activated.

I have now changed all my conditions to regex with more detail and its all working!

Thanks for your help.

Mohsin


(David Koosis) #4

PagerDuty interface is inconsistent on how regex gets entered into forms, I think…

For Event Rules, matching, do you just enter the (capture group) or the /regex/ with slashes?

Can you add an /i flag to a regex to ignore case?

Is “contains” case sensitive or insensitive?

Thanks!


(Malcolm Konner) #5

Hi David,

I’m going to assume that you’re trying to set up a account-wide Global Event Rule which, whose interface is a bit more complicated than integration-level Email Management Rules’ interface due to being a bit more complicated feature. They do both however use the same RE2 regex syntax.

The capture group should have parenthesis in the regex. If the capture group itself already has parentheses, you would want to use a backslash (\) at the beginning like you suggested; the backslash is an escape character that tells PagerDuty “the following character should be treated as text.”

The regex is case sensitive, I would recommend using a pipe (|) to capture different upper/lowercase strings.

Would you mind giving me an example of a capture group you’re trying to use in your Event Rules? I’d to test it myself if it’s not working and provide further feedback.

Our KB article on Email Management: Filters and Rules may actually be a good reference point for setting up the Regex needed for your global event rule. Particularly the two section below relevant the questions you had:


Thank you,
Malcolm


(David Koosis) #7

In the Global Event Rules area, if I want to match in incoming email body, which would I put in the field…

If body matches regex:

  1. /Error|error|ERROR|Warning|warning|WARNING/
  2. (Error|error|ERROR|Warning|warning|WARNING)
  3. Error|error|ERROR|Warning|warning|WARNING
  4. /error|warning/i

ALSO is “contains” case sensitive?

Thanks


(Malcolm Konner) #8

Hi David,

Sorry, I think I could have been more clear in my last response! In order to use regex in your conditions, you would actually have to set the condition to apply to your Message Body along with either of the regex options matches regex or does not match regex. You can then set the field to either (?i)(error|warning) or (Error|ERROR|error|Warning|warning|WARNING) for the examples you provided.

The contains option will not abide by regex rules placed like the above. You would need to just enter the plain text with the appropraite capitalization for each rule. So that would requeire multiple conditions applying to your message body and containing: Error and then containing: ERROR, and so on. For this rule, I would recommend using a regex option as it may allow you to keep your rules more simple.

I hope this helps!

Sincerely,
Malcolm


(system) #9