when an alert triggered in kapacitor, it sends alert id (name of the alert that's defined in chronograf UI), but I need its task name that's generated automatically.
I'm trying to find out which CLEAR event belongs to which CRITICAL event.
In this image, id field is alert name not alet's auto generated id.
this is debug screenshot
When we use chronograf UI, it generates own TICK script for kapacitor. So it defines alert name as alert id into the frontend. I solved my problem with kapacitor APIs.
Related
For example, over 4000 events per day should have an email notification.
If you are using Open Distro, where no CCS is being used and want to create an email notification for over 4000 events in a day, find below the high level steps:
Click on Alerting on the left menu
Click on Destinations tab and Add destination, this will be an Email as a destination, enter a valid email and the smtp configuration under Manage Senders, then select it under Sender, add a recipient email under Recipients
Create a Monitor: Under Method of definition you can select Define using visual graph, under Index enter wazuh-alerts* (this will select all events that you visualize under Wazuh>Modules>Security Events), under Time field you can select #timestamp. Leave the WHEN Count(), OVER all documents and WHERE all fields are included as default, in option FOR THE LAST … select for the last 24 hours. Finally select the frequency under Monitor Schedule as Daily and the time when you want this to run, alternatively you can select By interval and run it Every 1 Days, click on Create
With the Monitor created you will have to create a trigger, in trigger condition enter IS ABOVE 4,000. Under Configure actions select the Destination created in step 2, then the Message subject you would like the recipient to receive and you can leave the Message by default, it uses Mustache if you would like to edit it, you can send a test message to check if the Destination and smtp is configured correctly. Click on Create
Last step is to enable your monitor in case it was not enabled when created, select it from Monitors tab and click on Actions>Enable
I hope you are able to configure it, let me know!
I’m a newbie in AggreGate IoT platform and I’m trying to use its Alerts feature. I need to insert the name of the device that triggered the alert into the email message being sent.
I see some Alert Examples in the documentation but I can’t find the way to extract the context of the current device. I’ve tried to write the Alert Message expression like {env/context} or cell({env/context},"value") but it has no effect.
Please help me to make it work.
You need to send e-mail when Alert rises or deactivates, but with your own subject and message format.
Open "Automatic Corrective Actions" tab
Add action "Execution type" - Rise, "Action" - Send E-mail and click on "Parameters" field.
You should see e-mail sending parameters, such as Recipients, Subject, message, etc. You can write it by yourself or use bindings, in our case we will use bindings.
To get variables from alert we should use an expression for ex. "cell({env/value},"trigger")". This expression will return "Trigger message". You can get any variables that we have in Alert Event (see attached screenshot).
When you get variable value, you can use it with AggreGate expression language. For example, if you get cell({env/value}, "context") it will return context of the device for which this alert was set. You need to get name of this device, using context - you can write expression cell(getVariable(cell({env/value}, "context"),"genericProperties"),"name").
I have a trigger with:
PROBLEM event generation mode: Multiple
OK event closes: All problems
That trigger fires at the expression for the trapper item, which's updated by the crontab multiple times a day. Every time trapper gets a new value, it should be reported by the alert (cause' every time it gets a different value, which is important). But when it's OK, one message should be enough.
Action has "Send message to user groups" operation with a single step, "Immediately" start option and "Default" step duration (3600s).
Recovery operation set to "Send message to user groups" option.
Action also has only folowing conditions in the drop-down:
Application
Host
Host group
Maintenance status
Tag
Tag value
Template
Time period
Trigger
Trigger name
Trigger severity
What may be the reason for multiple duplicating alert messages with OK status, coming at the same moment from the same trigger (and the same alert)?
Have you tried global event correlation ?
It is possible to correlate events created by completely different
triggers and apply the same operations to them all. By creating
intelligent correlation rules it is actually possible to save yourself
from thousands of repetitive notifications and focus on root causes of
a problem!
https://www.zabbix.com/documentation/3.4/manual/config/event_correlation/global
I was trying to alert a custom group using incoming webhook in slack.I can able to alert user using <#user>, but with group any of the following format is not working
<!cgroup>
<#cgroup>
What i am missing here. Thanks in advance.
I got this working by adding a link_names attribute to my JSON payload. For example, POSTing this to my Slack hook URL:
{
"text": "#myusergroup Hello",
"link_names": 1
}
Caused users in #myusergroup to be notified by the message.
From Slack documentation.
For paid account there is an additional command for User Groups that
follows the format <!subteam^ID|handle>. (subteam is literal text. ID
and handle are replaced with the details of the group.) These indicate
a User Group message, and should cause a notification to be displayed
by the client. User Group IDs can be determined from the
usergroups.list API endpoint. For example, if you have a User Group
named happy-peeps with ID of S012345, then you would use the command
<!subteam^S012345|happy-peeps> to mention that user group in a
message.
It is working great
I want to display a message to the user when he is about to start a Jenkins build job.
I added the message to the build job description, but the user could also start the job from a view list (where the description is not visible).
Can I add a message to somewhere in the parameters page?
I could use the description field for a parameter, but that's more like a hack, a more prominent position for the message would be good.
Why is the description field a hack? That shows up in the most prominent position - just under the title.
I would just keep it simple and display your message there