1. Deduping messages when format and numbers in the message change, but you don't want a million different event mappings for them:
Regex:
(?P(Active|Swap cache|Free swap|Free pages|HighMem|DMA|Normal|Mem-info|Node 0 DMA|Node 0 HighMem|Node 0 Normal|Node 0 HighMem free|Node 0 Normal free|Node 0 DMA free|protections\[\])):(?P.*)
Example:
Active:56400 inactive:2984 dirty:26 writeback:0 unstable:0 free:438825 slab:6557 mapped:15997 pagetables:1531 Swap cache: add 6469984, delete 6469236, find 7828962/9485630, race 520+27650 Node 0 DMA: 7*4kB 3*8kB 2*16kB 3*32kB 1*64kB 2*128kB 1*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 756kB HighMem: 18868*4kB 24208*8kB 12507*16kB 3476*32kB 683*64kB 82*128kB 14*256kB 1*512kB 0*1024kB 0*2048kB
Transform:
from string import maketrans
intab="0123456789"
outtab="##########"
trantab=maketrans(intab, outtab)
outstring = evt.mymemmsg.translate(trantab)
evt.dedupid = "%s|%s|%s|%s|%s|%s" % (evt.device,evt.component,evt.eventClass,evt.eventKey,evt.severity,evt.mymemtype+':'+outstring)
2. Making a default mapping for events as a fall through. Then make sure this is just the last one to match in a sequence and that you don't change the event severity. This is handy when you know something should fall into a particular event class, and you want to make it more visible for later more specific mappings.
Name:
kernel_multiple_match
Event Class Key:
kernel
Example:
protections[]: 0 0 0
3. Remapping out events when another device is proxying the event for you: (in this case the alert comes from a monitoring box)
Regex:
snmp trap storageArrayCritical
Example:
snmp trap storageArrayCritical
Transform:
evt.device = evt.deviceUserLabel
evt.message += ": %s %s %s" % (evt.componentLocation,evt.deviceErrorCode,evt.trapDescription)
evt.summary += ": %s" % (evt.trapDescription)