7.2.2 Creating response action automatic execution definitions based on automated action definition file
When migrating from automated action definition file, you must create and reflect an automatic execution of response action definition based on your own automated action definition.
Note that you can create an automatic execution of response action definition by simply replacing the automated action setting if the following prerequisites are true: However, you cannot migrate automated action results. Use JP1/IM-View or jcashowa command to view the automated action results.
-
You are not using AND criteria to define an automated action.
To migrate, you issue the condition specified in AND condition as a correlated event and specify the published event as response action automatic execution condition.
-
Suppression time is not set in the automated action definition.
To migrate, set the event conditions set in the automated action definition on the [Repeat Event Condition Setting] screen, and exclude the automated action from execution in the suppress item.
The definition other than the suppression time is set in the definition of response action automatic execution.
-
The delay monitoring time is not set in the automated action definition.
If you want to migrate, configure a definition other than the delay monitoring time in response actions automatic execution definition.
-
The host group name, operation group name, and monitoring group name are not specified as the host to which the automated action definition is executed.
When migrating, replace the host group name, operation group name, and monitoring group name with the actual host name of the target host, and create response actions automatic execution settings for the target host.
This section explains how to migrate from automated action definition file.
- Organization of this subsection
(1) Replacing Parameters
Change to the parameter corresponding to the setting value according to the following table. You can create a response actions automatic execution definition that is equivalent to an automated action definition.
|
Item number |
Configuration items in automated action definitions |
Configuration items for the corresponding response actions automatic execution definition |
Remarks |
|---|---|---|---|
|
1 |
sta {true|false} |
state_watch |
|
|
2 |
act action-name |
label |
|
|
3 |
[prm Parameter group] |
actionGroup |
|
|
4 |
[cmt Commenting] |
description |
|
|
5 |
aid Action ID |
actionId |
|
|
6 |
[valid true|false] |
valid |
|
|
7 |
eid Events ID |
- |
This setting is not required because it is specified as an event condition. |
|
8 |
cnd event condition end-cnd |
conditions |
For details on event conditions, see " Table 7-3 Detailed event conditions". |
|
9 |
[usr username] |
- |
This setting is not necessary because the execution user determines it according to the execution destination host. |
|
10 |
[hst {Execution hostname|Group name|Operation group name|Monitor group name}] |
host |
|
|
11 |
[{cmd Action| rul}] |
type |
rul cannot be specified. |
|
12 |
[var Environment variable file name] |
envFile |
|
|
13 |
[det Suppression times] |
- |
Items that cannot be set. |
|
14 |
[ret Delay monitoring] |
- |
Items that cannot be set. |
|
Item number |
Configuration items in automated action definitions |
Configuration items for the corresponding response actions automatic execution definition |
Remarks |
|---|---|---|---|
|
1 |
Attribute name |
key: "Attribute-name" |
The format is the same as for automated action definitions. |
|
2 |
Comparison keyword |
ope: "Compare keywords" |
|
|
3 |
Operand # |
val: ["Operand"] |
When more than one operand is specified in automatic execution of response action definition, it is defined as an array. |
- #
-
If half-width spaces, tabs, newlines (CR, LF) and % are specified in the automated action definition, define them as shown in the following table in automatic execution of response action definition.
|
Item number |
Value you want to specify (ASCII cord) |
How to describe automated action definitions |
How to define response actions automatic execution |
Remarks |
|---|---|---|---|---|
|
1 |
Tabs (0x09) |
%09 |
\t |
|
|
2 |
Single-byte spaces (0x20) |
%20 |
" " |
In defining automatic execution of response action, specify half-width spaces as they are. |
|
3 |
%(0x25) |
%25 |
% |
In defining automatic execution of response action, specify % as-is. |
|
4 |
Line feed code LF(0 x 0 a) |
%0a |
\r |
|
|
5 |
Line feed code CR(0 x 0 d) |
%0d |
\n |
|
|
6 |
\(0x5c) |
\ |
\\ |
(2) Replacing inherited event information for automated actions
If the automated action definition uses inherited event information, it must be replaced.
- Format for specifying automated action definitions
${variable-name$encoding-type}- Format for specifying automatic execution of response action
${"Type":"Inherited event information":"Encoding type"}
Also, if you enclose the extended attribute name of the event in double quotation marks (") in the inherited event information, EV "attribute name" is replaced with the format of EV# attribute name.
|
Item number |
Type |
Inherited event information |
Automated action definition variable name |
Variable-name defined in automatic execution of response action |
|---|---|---|---|---|
|
1 |
Variable corresponding to the basic attribute |
Event ID (Basic code: Extended code) The event ID is converted to "Basic code: Extended code" string format. The basic code is the event ID (B.ID), and the extended code is the event ID (B.IDEXT). The basic code and extension code are 8-digit hexadecimal numbers (A to F are uppercase letters), and leading zeros in ID are omitted. For example, if the extension code is 00000000, the basic code is "0." |
EVID |
EVID |
|
2 |
Event ID (basic code) This is a string in which the event ID is converted to the "basic code" format. An 8-digit hexadecimal number (A to F in uppercase), with leading zeros omitted from ID. |
EVIDBASE |
EVIDBASE |
|
|
3 |
Date of event-registration (yyyy/mm/dd) The registered time (B.TIME) is converted to "yyyy/mm/dd" string format. |
EVDATE |
EVDATE |
|
|
4 |
Event registration time (hh:mm:ss) The registered time (B.TIME) is converted to "hh:mm:ss" string format. |
EVTIME |
EVTIME |
|
|
5 |
ID of the process that issued the event Value of the source process ID (B.PROCESSID). |
EVPID |
EVPID |
|
|
6 |
User ID of the process that issued the event Value of the source user ID (B.USERID). |
EVUSRID |
EVUSRID |
|
|
7 |
Group ID of the process that issued the event Value of the source group ID (B.GROUPID). |
EVGRPID |
EVGRPID |
|
|
8 |
User name of the process that issued the event Value of the source user name (B.USERNAME). |
EVUSR |
EVUSR |
|
|
9 |
Group name of the process that issued the event Value of the source group name (B.GROUPNAME). |
EVGRP |
EVGRP |
|
|
10 |
Host name of the server that issued the event Value of the source event server name (B.SOURCESERVER). |
EVHOST |
EVHOST |
|
|
11 |
IP address of the server that issued the event Character string indicating the source IP address in IPv4 address format or IPv6 address string format#. |
EVIPADDR |
EVIPADDR |
|
|
12 |
Serial number in the event database Value of the serial number (B.SEQNO). |
EVSEQNO |
EVSEQNO |
|
|
13 |
Date when the event arrived (YYYY/MM/DD) Arrived time (B.ARRIVEDTIME) as a character string in the string format YYYY/MM/DD. |
EVARVDATE |
EVARVDATE |
|
|
14 |
Time when the event arrived (hh:mm:ss) Arrived time (B.ARRIVEDTIME) as a character string in the format hh:mm:ss. |
EVARVTIME |
EVARVTIME |
|
|
15 |
Serial number in the source event database Value of the source serial number (B.SOURCESEQNO). |
EVSRCNO |
EVSRCNO |
|
|
16 |
Message Text of the message (B.MESSAGE). |
EVMSG |
EVMSG |
|
|
17 |
Variable corresponding to the extended attribute (Common Information) |
Event level in the extended event information (Emergency, Alert, Critical, Error, Warning, Notice, Information, or Debug) Value of the event level (E.SEVERITY). |
EVSEV |
EVSEV |
|
18 |
User name Value of the user name (E.USER_NAME). |
EVUSNAM |
EVUSNAM |
|
|
19 |
Object type Value of the object type (E.OBJECT_TYPE). |
EVOBTYP |
EVOBTYP |
|
|
20 |
Object name Value of the object name (E.OBJECT_NAME). |
EVOBNAM |
EVOBNAM |
|
|
21 |
Root object type Value of the root object type (E.ROOT_OBJECT_TYPE). |
EVROBTYP |
EVROBTYP |
|
|
22 |
Root object name Value of the root object name (E.ROOT_OBJECT_NAME). |
EVROBNAM |
EVROBNAM |
|
|
23 |
Product name Value of the product name (E.PRODUCT_NAME). |
EV"PRODUCT_NAME" |
EV#PRODUCT_NAME |
|
|
24 |
Object ID Value of the object ID (E.OBJECT_ID). |
EV"OBJECT_ID" |
EV#OBJECT_ID |
|
|
25 |
Occurrence Value of the occurrence (E.OCCURRENCE). |
EV"OCCURRENCE" |
EV#OCCURRENCE |
|
|
26 |
Start time Value of the start time (E.START_TIME). |
EV"START_TIME" |
EV#START_TIME |
|
|
27 |
End time Value of the end time (E.END_TIME). |
EV"END_TIME" |
EV#END_TIME |
|
|
28 |
Result code Value of the result code (E.RESULT_CODE). |
EV"RESULT_CODE" |
EV#RESULT_CODE |
|
|
29 |
Source host name Value of the source host name (E.JP1_SOURCEHOST). |
EV"JP1_SOURCEHOST" |
EV#JP1_SOURCEHOST |
|
|
30 |
User-specified extended attribute Value of the attribute specified in the extended attribute name. |
EV "Extended Attribute-Name" |
EV# extended attribute names |
|
|
31 |
Variables corresponding to extended attributes (IM attributes) |
Correlation event flag Value indicating whether the event is a correlation event flag (E.@JP1IM_CORRELATE). One of the followings: - 0: Not a correlation event - 1: A correlation approval event - 2: A correlation failure event |
EV"@JP1IM_CORRELATE" |
EV#@JP1IM_CORRELATE |
|
32 |
Response wait event flag Value indicating whether the event is a response wait event flag (E.@JP1IM_RESPONSE). It is 0 when response action is matched. |
- |
EV#@JP1IM_RESPONSE |
|
|
33 |
Severity before change Value of severity (before change) (E.@JP1IM_ORIGINAL_SEVERITY). It can be either Emergency, Alert, Critical,error, Warning, Notice, Information, Debug, or set to a severity. This parameter is set only when severity changing function is enabled. |
EV"@JP1IM_ORIGINAL_SEVERITY" |
EV#@JP1IM_ORIGINAL_SEVERITY |
|
|
34 |
Severity changing flag Value of severity changing flag (E.@JP1IM_CHANGE_SEVERITY). One of the followings:
|
EV"@JP1IM_CHANGE_SEVERITY" |
EV#@JP1IM_CHANGE_SEVERITY |
|
|
35 |
Modified message value of message (after change) (E.@JP1IM_DISPLAY_MESSAGE). This attribute is set only when the display message change function is enabled. |
EV"@JP1IM_DISPLAY_MESSAGE" |
EV#@JP1IM_DISPLAY_MESSAGE |
|
|
36 |
Display message change Value indicating whether the display message has been changed (E.@JP1IM_CHANGE_MESSAGE). Either of the followings. - 0: The message has not been changed. - 1: The message has been changed. This attribute is set only when the display message change function is enabled. |
EV"@JP1IM_CHANGE_MESSAGE" |
EV#@JP1IM_CHANGE_MESSAGE |
|
|
37 |
Other |
Host name of the manager that requested execution of the action Value of manager host name. |
ACTHOST |
ACTHOST |
|
38 |
Data extracted by specifying "( )" in a regular expression in an action execution condition |
EVENV1 to EVENV9 |
EVENV1 to EVENV9 |
- #
-
If the variable EVIPADDR of the inherited event information is specified and the issuing IP address (B.SOURCEIPADDR) of JP1 event is a IPv6 address, the system converts the information in the following format:
-
IPv6 address format
In this format, each 16 bits of a128-bit address is delimited by colons (:), and is output as hexadecimal numbers (from 0000 to ffff).
Example: 0011:2233:4455:6677:8899:aabb:ccdd:eeff
-
IPv4 address format
In this format, each 8 bits of a 32-bit address is delimited by periods (.), and is output as decimal numbers (from 0 to 255).
Example: 0.64.128.255
-
- Replacement examples
-
- Defining an automated action
$EV"JP1_SOURCEHOST"$URLENC
- Defining an automatic execution of response action after replacement
${event:EV#JP1_SOURCEHOST:URLENC}