Skip navigation
3998 Views 10 Replies Latest reply: Jun 25, 2012 1:52 PM by mikeC79 RSS
mikeC79 Rank: White Belt 42 posts since
Jun 25, 2012
Currently Being Moderated

Jun 25, 2012 11:11 AM

Help using a transform to ignore certain alerts.

I am receiving a repetitive alert from my Windows servers. It is an alert that is safe to ignore. I followed the following instructions to create a transform to drop the alert, but it is not working.

 

You can go in to the device and set monitoring for that drive to be false, however the name of the disk changes and you get the same error back but with a different number next to Volume. To disregard these messages, go to Events -> Status (under SubClasses) -> Wmi (under SubClasses) then click the Cog in the bottom left of the screen and choose Transform.

In the Transform box add:

1 2 3 
if evt.summary.startswith("Bad counter for device"): if "LogicalDisk" in evt.summary: evt._action = "drop"

 

Here is my code:

 

if evt.summary.startswith("The default transaction resource manager on volume"):

      evt._action = "drop"

 

Am I missing something?

  • dpetzel Rank: Brown Belt 1,141 posts since
    Oct 17, 2010
    Currently Being Moderated
    1. Jun 25, 2012 11:46 AM (in response to mikeC79)
    Re: Help using a transform to ignore certain alerts.

    This looks valid on the surface. Can you send a screen shot of the actual event maybe?

     

    Also trying clearing the event first (I seem to recall something funky with applying a transform when an event already is active).

     

    Additionally you can flip on debug logging in zenhub.log and wade through the mountains of info and maybe get some clues.

  • dpetzel Rank: Brown Belt 1,141 posts since
    Oct 17, 2010
    Currently Being Moderated
    4. Jun 25, 2012 1:17 PM (in response to mikeC79)
    Re: Help using a transform to ignore certain alerts.

    This screen shot only shows the message the not the summary Can click the option to show details?

     

    As another test, maybe try keying off evt.message rather than summary. Summary will be more efficient so I'd stick with trying to get that to work, but testing with evt.message while debuging based on your screen shot above, may yield some answers.

  • Rob Eagle Rank: Green Belt 155 posts since
    Feb 20, 2012
    Currently Being Moderated
    5. Jun 25, 2012 1:32 PM (in response to dpetzel)
    Re: Help using a transform to ignore certain alerts.

    Mike,

    Looks like the event you posted doesn't have an event class associated with it (ie /unknown), you will first need to map this event to an event class, then put a transform in that class or drop that classes traffic or if you mapped to the /IGNORE class it will be dropped by default.

    --Rob

  • dpetzel Rank: Brown Belt 1,141 posts since
    Oct 17, 2010
    Currently Being Moderated
    8. Jun 25, 2012 1:44 PM (in response to mikeC79)
    Re: Help using a transform to ignore certain alerts.

    I missed the unknown class. I think Rob is on the right track. You can map it to /ignore by following: http://community.zenoss.org/docs/DOC-9437#d0e7141

     

    Once the message has a class, I think your transform will work just fine.

  • Rob Eagle Rank: Green Belt 155 posts since
    Feb 20, 2012
    Currently Being Moderated
    9. Jun 25, 2012 1:44 PM (in response to mikeC79)
    Re: Help using a transform to ignore certain alerts.

    If you look at the event details and all the events have the same event class key, then once you map the first event to the /Ignore class, then all the new events with that same key will also be mapped there.

    To map an event, just select the event then selecting reclassying (looks like a flow chart/directory) button.

    --Rob

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points