# Prepare context
context = createContext(metadata, config, results, sessionKey, payload)
#
# END Setup
#
#
# Incident creation
#
# Check for incident suppression
incident_suppressed = False
incident_status = 'new'
try:
incident_suppressed, rule_names = sh.checkSuppression(search_name, context)
except Exception as e:
log.error("Suppression failed due nexpected Error: %s" % (traceback.format_exc()))
if incident_suppressed == True:
incident_status = 'suppressed'
log.info("Incident status after suppresion check: %s" % incident_status)
# Write incident to collection
log.debug("Metadata: {}".format(json.dumps(metadata)))
incident_key = createIncident(metadata, config, incident_status, sessionKey)
event = 'severity=INFO origin="alert_handler" user="******" action="create" alert="%s" incident_id="%s" job_id="%s" result_id="%s" owner="%s" status="new" urgency="%s" ttl="%s" alert_time="%s"' % ('splunk-system-user', search_name, incident_id, job_id, result_id, metadata['owner'], metadata['urgency'], metadata['ttl'], metadata['alert_time'])
createIncidentChangeEvent(event, metadata['job_id'], settings.get('index'))
log.info("Incident initial state added to collection for job_id=%s with incident_id=%s key=%s" % (job_id, incident_id, incident_key))
# Log suppress event if necessary
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey)
alerts = json.loads(serverContent)
if len(alerts) >0:
for alert in alerts:
query_incidents = '{ "alert": "'+alert['alert']+'", "$or": [ { "status": "auto_assigned" } , { "status": "new" } ] }'
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents?query=%s' % urllib.quote(query_incidents)
serverResponseIncidents, serverContentIncidents = rest.simpleRequest(uri, sessionKey=sessionKey)
incidents = json.loads(serverContentIncidents)
if len(incidents) > 0:
log.info("Found %s incidents of alert %s to check for suppression..." % (len(incidents), alert['alert']))
for incident in incidents:
log.info("Checking incident: %s" % incident['incident_id'])
ic = IncidentContext(sessionKey, incident["incident_id"])
context = ic.getContext()
incident_suppressed, rule_names = sh.checkSuppression(alert['alert'], context)
if incident_suppressed == True:
log.info("Incident %s (%s) should be resolved. alert_time=%s since suppression was successful." % (incident['incident_id'], incident['_key'], incident['alert_time']))
old_status = incident['status']
incident['status'] = 'auto_suppress_resolved'
uri = '/servicesNS/nobody/alert_manager/storage/collections/data/incidents/%s' % incident['_key']
incidentStr = json.dumps(incident)
serverResponse, serverContent = rest.simpleRequest(uri, sessionKey=sessionKey, jsonargs=incidentStr)
now = datetime.datetime.now().isoformat()
event_id = hashlib.md5(incident['incident_id'] + now).hexdigest()
log.debug("event_id=%s now=%s" % (event_id, now))
rules = ' '.join(['suppression_rule="'+ rule_name +'"' for rule_name in rule_names])
event = 'time=%s severity=INFO origin="alert_manager_scheduler" event_id="%s" user="******" action="auto_suppress_resolve" previous_status="%s" status="auto_suppress_resolved" incident_id="%s" %s' % (now, event_id, old_status, incident['incident_id'], rules)
input.submit(event, hostname = socket.gethostname(), sourcetype = 'incident_change', source = 'alert_manager_scheduler.py', index = config['index'])
incident_id)
job['priority'] = getPriority(job['impact'], job['urgency'])
# create Context
job['alert_time'] = alert_time
job['owner'] = config['default_owner']
job['name'] = alert
job['alert'] = alert
job['app'] = alert_app
context = createContext(job, incident_config, results)
# Check for incident suppression
incident_suppressed = False
incident_status = 'new'
try:
incident_suppressed, rule_names = sh.checkSuppression(alert, context)
except Exception as e:
log.error("Suppression failed due nexpected Error: %s" %
(traceback.format_exc()))
if incident_suppressed == True:
incident_status = 'suppressed'
# Parse Title
pattern = re.compile(r'\$([^\$]+)')
for field in re.findall(pattern, incident_config['title']):
if "fields" in results and field in results["fields"][0]:
if type(results["fields"][0][field]) is list:
repl = str(results["fields"][0][field][0])
else:
repl = str(results["fields"][0][field])
# Prepare context
context = createContext(metadata, config, results, sessionKey)
#
# END Setup
#
#
# Incident creation
#
# Check for incident suppression
incident_suppressed = False
incident_status = 'new'
try:
incident_suppressed, rule_names = sh.checkSuppression(
search_name, context)
except Exception as e:
log.error("Suppression failed due nexpected Error: %s" %
(traceback.format_exc()))
if incident_suppressed == True:
incident_status = 'suppressed'
log.info("Incident status after suppresion check: %s" %
incident_status)
# Write incident to collection
incident_key = createIncident(metadata, config, incident_status,
sessionKey)
event = 'severity=INFO origin="alert_handler" user="******" action="create" alert="%s" incident_id="%s" job_id="%s" result_id="%s" owner="%s" status="new" urgency="%s" ttl="%s" alert_time="%s"' % (
'splunk-system-user', search_name, incident_id, job_id, result_id,
metadata['owner'], metadata['urgency'], metadata['ttl'],