Opsgenie has String Processing Methods available for pulling specific text out of an integration payload. This article will show two string processing method use cases for extracting text from two different integration types.
If a monitoring tool can send both alarm and recovery emails, Opsgenie can automatically close the alerts with some extra setup. This is mostly a two step process:
<Status Notification >
The device status is [No Paper]
<Node Information>
Name: office_printer
Model Name: Brother HL-L2380DW series
Location: Home Office
Contact: admin@home.farm
IP Address: 12.3.100.38
Device serial number: U63886451427
URL: http://12.3.100.38
Page Count: 353
Drum Count: 353
The <Status Notification>
is always at the top of the email, making it a good keyword for the create alert action in the email integration. For this example in the create alert action, we add a filter where Message Starts With '<Status Notification >':
<Status Notification>
is replaced by <Restoration Notification>
:
<Restoration Notification >
The [No Paper] problem was resolved
<Node Information>
Name: office_printer
Model Name: Brother HL-L2380DW series
Location: Home Office
Contact: admin@home.farm
IP Address: 12.3.100.38
Device serial number: U63886H7N451427
URL: http://12.3.100.38
Page Count: 353
Drum Count: 353
<Restoration Notification>
in this example for the email integration close alert action will work well. In the close alert action, we add a filter where Message Starts With '<Restoration Notification >':<Restoration Notification>
and attempt to close an alert, but it won’t know which alert to close.Name: office_printer
substringAfter()
works well here since it’s all on one line:
{{message.substringAfter("Name: ")}}
We can also get the same result with extract()
:
{{message.extract(/Name: (\S+)/)}}
ii. Service Name: Combining this with the hostname ensures I can still get alerts for other types of issues with the same printer.
The device status is [No Paper]
Here 'No Paper
' is what we want to extract - but really we want whatever is in between those brackets:
{{message.substringBetween("[","]")}}
Again, we can get the same result with extract()
too:
{{message.extract(/\[([\S ]+)\]/)}}
Combining hostname and service name in the alias field should leave you with something like this:
{{message.substringBetween("[","]")}}_{{message.extract(/Name: (\S+)/)}}
^service name^ ^hostname^
Remember to change the alias for the create AND close alert actions of the integration!
After setting up the alert’s action filters and alias I don’t have to bother going into Opsgenie to manually close the alert after putting more paper in the printer - Opsgenie can take care of that for me. More importantly, it keeps the alert dashboard clean and manageable without any extra effort by a user.
Applying this idea to every integration possible is an important part of getting value out of a tool like Opsgenie.
This payload is from an Incoming SNS integration. The most important information is usually in the Message
field, which is sent to Opsgenie as escaped JSON - meaning Opsgenie just treats the whole thing as a massive blob of text:
{
"Type": "Notification",
"MessageId": "1d8a9ec9-5536-594e-bbbb-cbb85b720e50",
"TopicArn": "arn:aws:sns:us-east-1:1234567890:cloudwatch_alarm_sns",
"Subject": "OK: \"lambda_invocation_total\" in US East (N. Virginia)",
"Message": "{\"AlarmName\":\"lambda_invocation_total\",\"AlarmDescription\":null,\"AWSAccountId\":\"1234567890\",\"NewStateValue\":\"OK\",\"NewStateReason\":\"Threshold Crossed: 1 datapoint [1.0 (05/06/19 00:20:00)] was not greater than or equal to the threshold (2.0).\",\"StateChangeTime\":\"2019-06-05T00:25:40.667+0000\",\"Region\":\"US East (N. Virginia)\",\"OldStateValue\":\"INSUFFICIENT_DATA\",\"Trigger\":{\"MetricName\":\"Invocations\",\"Namespace\":\"AWS/Lambda\",\"StatisticType\":\"Statistic\",\"Statistic\":\"AVERAGE\",\"Unit\":null,\"Dimensions\":[],\"Period\":300,\"EvaluationPeriods\":1,\"ComparisonOperator\":\"GreaterThanOrEqualToThreshold\",\"Threshold\":2.0,\"TreatMissingData\":\"- TreatMissingData: notBreaching\",\"EvaluateLowSampleCountPercentile\":\"\"}}",
"Timestamp": "2019-06-05T00:25:40.723Z",
"SignatureVersion": "1",
"Signature": "RKIlc+yaxHTR55cFqB/4+FDjtQB53qVbtWjiuaGxMJ6XWEk5eNtIdcPUmmbghHwvlKhZ6y9Y19qOmdHVuILE4nW7Zr3R1TO12Sy3iQM4KVjMAU6cPkORPyp3J2Q0XHaz0ayinN+6RBaXCV9OcQn/cTg/rwsrny+itsJHJ7t4VGfnUyAxmL7XNnl9jFszSLa21JTcxL/TLbS09hb0gy1gB4ROU7EJR/YPqCHAJxAjDDyIxHKfKheMozQ12E0E6q4oiWtVXLhj9rLRso9FzBwtjGheBxIgfviKCwWiGxZ13A+azYJDDYXgwfEVT7scwEc69NrsAkc/9Mv6sqAz9sgf0g==",
"SigningCertURL": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-f.pem",dasdf
"UnsubscribeURL": "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:1234567890:cloudwatch_alarm_sns:4f2c8e78-f5c1-4cf4-95d8-1238e2b42038"
}
Let's try extracting 'MetricName':
A quick look at Message
shows MetricName
is buried pretty deep. Since there’s text on both sides of it, we’ll have to use substringBetween("before", "after")
:
"...\"Trigger\":{\"MetricName\":\"Invocations\",\"Namespace\":..
Using MetricName
should be a good reference for the “before” value, but what about the “after” or the quotes/slashes between them? Since the quotes and slashes are processed as strings and will always be there, just include them in the substringBefore()
statement.
{{Message.substringBetween("MetricName\":\"", "\"")}}
That will let us extract MetricName
each time SNS sends us data, no matter what the value is. This time it’s 'Invocations'
, but if the next alarm is for ApproximateNumberOfMessagesVisible
it'll be able to extract that value instead without making any changes.
In order to ensure that we continue to provide useful content, please let us know if this Article is helpful (Thumbs Up/Down). Also, to help us improve, feel free to provide additional feedback (directly in the community).
Skyler Ataide
Technical Support Engineer
Atlassian
San Francisco, CA.
13 accepted answers
1 comment