示例#1
0
        # Prepare context
        context = createContext(metadata, config, results, sessionKey, payload)

        #
        # END Setup
        #

        #
        # Incident creation
        #

        # Check for incident suppression
        incident_suppressed = False
        incident_status = 'new'
        try:
            incident_suppressed, rule_names = sh.checkSuppression(search_name, context)
        except Exception as e:
            log.error("Suppression failed due nexpected Error: %s" % (traceback.format_exc()))

        if incident_suppressed == True:
            incident_status = 'suppressed'
        log.info("Incident status after suppresion check: %s" % incident_status)

        # Write incident to collection
        log.debug("Metadata: {}".format(json.dumps(metadata)))
        incident_key = createIncident(metadata, config, incident_status, sessionKey)
        event = 'severity=INFO origin="alert_handler" user="******" action="create" alert="%s" incident_id="%s" job_id="%s" result_id="%s" owner="%s" status="new" urgency="%s" ttl="%s" alert_time="%s"' % ('splunk-system-user', search_name, incident_id, job_id, result_id, metadata['owner'], metadata['urgency'], metadata['ttl'], metadata['alert_time'])
        createIncidentChangeEvent(event, metadata['job_id'], settings.get('index'))
        log.info("Incident initial state added to collection for job_id=%s with incident_id=%s key=%s" % (job_id, incident_id, incident_key))

        # Log suppress event if necessary
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey)
alerts = json.loads(serverContent)
if len(alerts) >0:
    for alert in alerts:
        query_incidents = '{  "alert": "'+alert['alert']+'", "$or": [ { "status": "auto_assigned" } , { "status": "new" } ] }'
        uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(query_incidents)
        serverResponseIncidents, serverContentIncidents = rest.simpleRequest(uri, sessionKey=sessionKey)

        incidents = json.loads(serverContentIncidents)
        if len(incidents) > 0:
            log.info("Found %s incidents of alert %s to check for suppression..." % (len(incidents), alert['alert']))
            for incident in incidents:
                log.info("Checking incident: %s" % incident['incident_id'])
                ic = IncidentContext(sessionKey, incident["incident_id"])
                context = ic.getContext()
                incident_suppressed, rule_names = sh.checkSuppression(alert['alert'], context)
                if incident_suppressed == True:
                    log.info("Incident %s (%s) should be resolved. alert_time=%s since suppression was successful." % (incident['incident_id'], incident['_key'], incident['alert_time']))
                    old_status = incident['status']
                    incident['status'] = 'auto_suppress_resolved'
                    uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/%s' % incident['_key']
                    incidentStr = json.dumps(incident)
                    serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=incidentStr)

                    now = datetime.datetime.now().isoformat()
                    event_id = hashlib.md5(incident['incident_id'] + now).hexdigest()
                    log.debug("event_id=%s now=%s" % (event_id, now))

                    rules = ' '.join(['suppression_rule="'+ rule_name +'"' for  rule_name in rule_names])
                    event = 'time=%s severity=INFO origin="alert_manager_scheduler" event_id="%s" user="******" action="auto_suppress_resolve" previous_status="%s" status="auto_suppress_resolved" incident_id="%s" %s' % (now, event_id, old_status, incident['incident_id'], rules)
                    input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_manager_scheduler.py', index = config['index'])
示例#3
0
                                        incident_id)
job['priority'] = getPriority(job['impact'], job['urgency'])

# create Context
job['alert_time'] = alert_time
job['owner'] = config['default_owner']
job['name'] = alert
job['alert'] = alert
job['app'] = alert_app
context = createContext(job, incident_config, results)

# Check for incident suppression
incident_suppressed = False
incident_status = 'new'
try:
    incident_suppressed, rule_names = sh.checkSuppression(alert, context)
except Exception as e:
    log.error("Suppression failed due nexpected Error: %s" %
              (traceback.format_exc()))

if incident_suppressed == True:
    incident_status = 'suppressed'

# Parse Title
pattern = re.compile(r'\$([^\$]+)')
for field in re.findall(pattern, incident_config['title']):
    if "fields" in results and field in results["fields"][0]:
        if type(results["fields"][0][field]) is list:
            repl = str(results["fields"][0][field][0])
        else:
            repl = str(results["fields"][0][field])
示例#4
0
        # Prepare context
        context = createContext(metadata, config, results, sessionKey)

        #
        # END Setup
        #

        #
        # Incident creation
        #

        # Check for incident suppression
        incident_suppressed = False
        incident_status = 'new'
        try:
            incident_suppressed, rule_names = sh.checkSuppression(
                search_name, context)
        except Exception as e:
            log.error("Suppression failed due nexpected Error: %s" %
                      (traceback.format_exc()))

        if incident_suppressed == True:
            incident_status = 'suppressed'
        log.info("Incident status after suppresion check: %s" %
                 incident_status)

        # Write incident to collection
        incident_key = createIncident(metadata, config, incident_status,
                                      sessionKey)
        event = 'severity=INFO origin="alert_handler" user="******" action="create" alert="%s" incident_id="%s" job_id="%s" result_id="%s" owner="%s" status="new" urgency="%s" ttl="%s" alert_time="%s"' % (
            'splunk-system-user', search_name, incident_id, job_id, result_id,
            metadata['owner'], metadata['urgency'], metadata['ttl'],