Issue #709 resolved
Nikhil
created an issue

Hi Fidel,

Hi Fidel,

I have few doubts on the configurations for creating Jira tickets with some keywords from Summary or Description which we worked earlier:

I have used the below validator in the workflow but this validator works only if the email alert has the strings provided or else the issue will not be created. But I want issues to be created with or without these strings. Basically, this validator must be optional with OR condition so that incident will still continue to get created.

Only if the following boolean expression is true: "DOWN" in %{Summary} OR "State: DOWN" in %{Description} OR "CAIHIRT901 is DOWN" in %{Summary} Message to show when validation fails: "Please check with your Jira administrator if you are receiving this message". Above validator was to create incidents with mentioned strings.

BUT: Can we have a validator in such a way that issues must not get created when the there is "UP" or "CAIHIRT901 is UP" keywords in the Summary or Description of incoming email alerts and Incidents must continue to create for any other keywords like "DOWN" or CAIHIRT901 is DOWN" in the alerts?

Nikhil

Comments (30)

  1. Fidel Castro Armario repo owner

    Hi @Nikhil,

    When a validator fails the transition where it's inserted can't be executed. When we insert a validator in "Create Issue" transition, then a validator failure will prevent issue from being created.

    I don't understand what you mean by "...I want issues to be created with or without these strings...". If you don't mind the presence of those strings, then you simply don't need any validator.

    In order to block issue creation when "UP" and "CAIHIRT901 is UP" are in the Summary you should use another boolean validator with the following expression:

    "UP" not in %{00000} AND "CAIHIRT901 is UP" not in %{00000} 
    

    where %{00000} is field code for Summary.

  2. Nikhil reporter

    Hi Fidel,

    I meant that the validator must work optionally. This validator should not stop creating tickets if the keywords aren't found. I will do this workaround and get back to you.

    Nikhil

  3. Fidel Castro Armario repo owner

    @Nikhil,

    Validator "DOWN" in %{00000} OR "State: DOWN" in %{00001} OR "CAIHIRT901 is DOWN" in %{00000} will require the presence of any of those 3 words in Summary or Description. If none of the words are present, the validator fails and the issue will not be created.

    When do you need that optionally the validator is not applied?

  4. Nikhil reporter

    Fidel,

    Basically, there will be a lot of Incidents that gets generated daily and one among them are from Nagios tool. Whenever, Nagios is DOWN/UP Nagios send out alerts to Jira and Jira will create ticket for that alert. Now, this validator should not stop other Incidents to get created as other Incidents are created for some other purposes.

    So, I have to come up with a plan where Jira only create issues while Nagios sends out DOWN status alert to Jira and ignore UP alerts to generate tickets in Jira, though Nagios keeps sending UP alerts as well.

    Nikhil

  5. Fidel Castro Armario repo owner

    If you don't expected UPs and DOWNs mixed in a same mail, the following validator will be enough:

    "DOWN" in %{00000} OR "State: DOWN" in %{00001} OR "CAIHIRT901 is DOWN" in %{00000}
    

    but if you expect DOWNs and UPs mixed in a same mail, and want to prevent issue creation whenever there is an UP, even if there is also a DOWN in the same email, i.e., if you give priority to UPs over DOWNs, then you can use the following validator:

    ("DOWN" in %{00000} OR "State: DOWN" in %{00001} OR "CAIHIRT901 is DOWN" in %{00000}) AND "UP" not in %{00000} AND "CAIHIRT901 is UP" not in %{00000}
    

    Anyway, I have the feeling that there is something that I'm not understanding in your requirements.

  6. Nikhil reporter

    The requirement is something like this:

    When an alert such as: RECOVERY Host Alert: AP1HIRT510 is UP is received, script the automation of finding the matching alert that includes: PROBLEM Host Alert: AP1HIRT510 is DOWN and mark the ticket as "Resolved" with the Resolution of "Service Recovery". Close the newly generated "Recovery" ticket with the same Resolution. Do we have a way to configure this?

    Nikhil

  7. Nikhil reporter

    @Fidel Castro Armario If I set some Validator in a workflow transition, then the validator checks if the strings provided exists in the incoming Nagios notification alerts. If found then issue will be created if not then issue creation won't happen. This actually stops creating issues for other subjects as well. So, can we have this Validator as OR condition? Like, if there is not alerts received from Nagios, it should not restrict creating issues for other reasons.

    Nikhil

  8. Fidel Castro Armario repo owner

    Hi @Nikhil,

    In relation your first question: I think it can be done, but I need a more general and detailed description of the behavior you want to implement:

    • Are "RECOVERY Host Alert: AP1HIRT510 is UP" and "PROBLEM Host Alert: AP1HIRT510 is DOWN" the Summary or the Description of the issue?
    • Are those the only 2 kind of messages you can receive from Naggios, or the only 2 ones you are interested in?
    • Is AP1HIRT510 the only variable part of those 2 kinds of messages?
    • Can you add some screenshots showing the Summary and Description of real issues created by Naggios?

    Please, take your time to do a detailed description with all the possibilities we can encounter, since I'm going to take my time to explain you in detail how to implement your desired behavior. Otherwise, both of us will be wasting our time.

    In relation with your second question: Can you give a word or a phrase that always appears in an issue created by Naggios? If you can, I can give you a modified boolean expression to make the validator pass with any issue not created by Naggios.

  9. Nikhil reporter

    Hello Fidel,

    Yes, these are the subjects we are interested in. But the problem is that if I configure the validator accordingly, then only alerts with keyword "DOWN and AP1HIRT510" are getting converted into Jira issues and others issues are not at all being receive and converted to Jira tickets.

    So, I wanted to check if it is somehow possible to have Jira issues created with "DOWN" keyword only and also disallow other alerts where "UP and AP1HIRT510" are in the subject? Which means alerts with DOWN and AP1HIRT510 and rest of the alerts with any other keywords apart "UP and AP1HIRT510" must have Jira issues created .

    Nikhil

  10. Fidel Castro Armario repo owner

    Hi @Nikhil,

    I'm afraid I still don't understand what you intend to do. I made 4 questions in my previous post. Please, try to answer them.

    Anyway, I will try to give you a validator according to the explanations in your previous post:

    I wanted to check if it is somehow possible to have Jira issues created with "DOWN" keyword only and also disallow other alerts where "UP and AP1HIRT510" are in the subject?

    "DOWN" in %{00000} AND "UP" not in %{00000} AND "AP1HIRT510" not in %{00000}
    

    That validator will pass only when "DOWN" is in Summary, except when there is also any of the following substrings "DOWN" or "AP1HIRT510".

  11. Nikhil reporter

    Hi @Fidel Castro Armario,

    There is another host which I have seen earlier (as attached) CAIHIRT901 with we get alerts.

    I understand that there is some confusions, but it make it simpler:

    We have a workflow for the project KOI assigned to issue type Incident which is used to track incidents created in Jira which can be from Nagios or Client SIEM tools. We have Incidents created from SIEM tools as well from the same workflow but this validator is blocking those incidents since the keyword it looks for is "DOWN" or "HOST_NAME" and these keywords is not available in the alerts generated from SIEM tools. So, basically this validator in workflow will disallow any other alerts which don't have the keywords from the validator.

    Answering 4 questions:

    Are "RECOVERY Host Alert: AP1HIRT510 is UP" and "PROBLEM Host Alert: AP1HIRT510 is DOWN" the Summary or the Description of the issue? --Yes they are. Are those the only 2 kind of messages you can receive from Naggios, or the only 2 ones you are interested in? --These are what we are interested in. Is AP1HIRT510 the only variable part of those 2 kinds of messages? --Nope, I have seen CAIHIRT901 as well as attached. Can you add some screenshots showing the Summary and Description of real issues created by Naggios? --Attached. Neither me nor the requestor have the original alerts from Nagios.

    My requirement is: Can we have OR logical operator between 2 validators(like we have in Conditions in workflow) so that this Validator will now block alerts from SIEM tools?

    Nikhil

  12. Fidel Castro Armario repo owner

    Hi @Nikhil,

    I have noticed that the user that nagios is using for reporting issues is koi.nagios. Taking this fact into account you can use the following boolean validator:

    %{00006} ~ "nagios" IMPLIES %{00000} ~ "DOWN"
    

    where %{00006} is field code for Reporter, and %{00000} is field code for Summary.

  13. Nikhil reporter

    Hi Fidel,

    Great!! So, this Boolean validator only create issues based on the keywords provided in the expression and will definitely restrict alerts with keyword "UP" if it is present it won't.

    But my other concern is if this validator is added, this should not restrict other alerts coming from SIEM tools as we need those alerts to have Jira issues created as well.

    So, can we include keywords such as "UP, Nagios, HOST_NAME" in the Boolean expression and Jira issues must be created if these keywords are NOT present in the Summary or Description. Something like this:

    "UP" not in %{00000} AND "CAIHIRT901 is UP" not in %{00000}

    So, this validator will restrict only alerts having UP and CAIHIRT901 words and allow any other alerts to create Jira issues either from Nagios or other Client's SIEM tools.

    Nikhil

  14. Fidel Castro Armario repo owner

    Hi @Nikhil,

    I consider that your description of the behavior is unnecessarily complicated, and redundant. For example: if "UP" not in %{00000} is true, then "CAIHIRT901 is UP" not in %{00000} will also be true, since "UP" is in "CAIHIRT901 is UP". And we don't need to include UP in the boolean expression since we will not get UP and DOWN at the same time.

    The behavior of %{00006} ~ "nagios" IMPLIES %{00000} ~ "DOWN" is the following: if the mail sender contains the word nagios, then the issue will be created only if it contains the word DOWN in the summary. In any other case (e.g., when the mail is sent by SIEM), the issue will be created.

    Please, try the boolean expression, and let me know whether it works as you expect.

  15. Nikhil reporter

    Hi @Fidel Castro Armario,

    I have configured and checked the same you have mentioned above and it failed. Here is the Boolean expression: %{00006} ~ "MTS Koi L1" IMPLIES %{00000} ~ "DOWN" According to you, the above Boolean must restrict UP alerts and allow to create Jira issues with DOWN and any other Summary/Subject . But it is creating Jira issues for all the 3 context---UP, DOWN and any content. Below are the subjects added in the email to have same in Summary for Jira issues:

    Testing PROBLEM Host Alert: AP1HIRT510 is DOWN RECOVERY Host Alert: AP1HIRT510 is UP

    Nikhil

  16. Fidel Castro Armario repo owner

    Hi @Nikhil,

    You are not using my boolean expression, since you changed the literal to be compared to %{00006}. My boolean expression is: %{00006} ~ "nagios" IMPLIES %{00000} ~ "DOWN".

    According to your attached emails, the reporter of nagios alerts is a user with name koi.nagios, and apparently you changed it with the user's full name, which is not the same as the username.

    Please, try EXACTLY my boolean expression.

  17. Nikhil reporter

    Hi,

    I am testing in Stage environment and my user here is different.

    Full Name : MTS Koi L1 Username: mts.koi.l1

    Let me try putting "mts.koi.l1" in reporter. Apparently, we are supposed to use the username and not the full name? In that case, in Prod am I supposed to use username: koi.nagios and not Full name : Koi Nagios Notification

    In addition to the above, I have few questions:

    Next question:

    I have thought of couple of more options and hope you could help me to answer if they are possible.

    1) Can we auto-close/auto-resolve these issues with some specified Resolution immediately? 2) Can we allow both UP and DOWN alerts to create Jira issues but only UP alerts must be auto closed with some specified resolution without any manual intervention and DOWN alerts needs manual attention?

    I will be testing it, meanwhile can you also suggest if it is possible as mentioned above?

    Nikhil

  18. Nikhil reporter

    Hi @Fidel Castro Armario,

    With Boolean expression %{00006} ~ "mts.koi.l1" IMPLIES %{00000} ~ "DOWN" , only email alert with subject " PROBLEM Host Alert: AP1HIRT510 is DOWN " is successfully creating Jira tickets and not for subject with "Testing" :( I need Jira issues to be created for any subject that comes from SIEM tools as well.

    Nikhil

    Nikhil

  19. Fidel Castro Armario repo owner

    Yes, you should use the username, not the user's full name. Indeed, you don't have to use the whole username, only a part of it. That's why I simply used "nagios".

    There is a possible way to close the ticket, but it requires that new issues are always created, even with "UP", and then automatically closed, dragging with it also the previously created issues. It's a very complex solution, and I prefer not to think of it until we achieve to implement the simpler requirement.

    Please, attach emails of issues created by SIEM tools. I need to see which user is being used for creating those issues.

  20. Nikhil reporter

    Hi @Fidel Castro Armario ,

    The Boolean mentioned is not allowing other subject by creating Jira issues. Is there a way out to allow both DOWN and subjects/summary from SIEM and with different reporters or in my case "This is a Testing issue" is the random subject I picked? I need Jira issue to be created even if it some random subject which doesn't have UP which I am testing in Stage Jira. In Stage Jira, we have only 1 reporter who sends both alerts with UP/DOWN and random subject as well. So, probably that's the reason it is not working out.

    But in Production Jira, we have 2 different reporters koisoc from which we get alerts from SIEM tools and koi.nagios from which we get alerts from Nagios.

    From koi.nagios, we get alerts when Nagios is DOWN and UP. We want alerts when Nagios goes DOWN and not required when Nagios comes UP.

    From koisoc, we need all the alerts that we receive without any restriction.

    Nikhil

    Nikhil

  21. Fidel Castro Armario repo owner

    Hi @Nikhil,

    If you have different users for reporting issues from SIEM and Nagios, then boolean expression %{00006} ~ "nagios" IMPLIES %{00000} ~ "DOWN" will work as you expect.

    If that boolean expression is preventing other users from creating issues, it's because those users are using as reporter a user whose username contains the word nagios. That boolean expression only requires DOWN if the reporter contains the word nagios, otherwise it doesn't apply any restriction.

  22. Nikhil reporter

    Perfect!!

    But, as asked earlier, 1) Can we auto-close/auto-resolve these issues with some specified Resolution immediately? 2) Can we allow both UP and DOWN alerts to create Jira issues but only UP alerts must be auto closed with some specified resolution without any manual intervention and DOWN alerts needs manual attention?

    Can you tell me how so that we can have an alternate plan for the requestors if they want both UP and DOWN issues to be created but UP issues must be auto closed without any manually intervention.

    Nikhil

  23. Fidel Castro Armario repo owner

    Please, create a new issue for each question. This thread is getting too long and complicated.

    BTW, have you tested the validation in production environment? Did it behave as you expected?

  24. Nikhil reporter

    @Fidel Castro Armario ,

    hahaha yeah it's too long now. I have to test it yet and need to find a time when there is less impact on users as we have a flow of Jira issues in numbers and this must not trouble them.

    I will create a new ticket for the above questions.

    Thank you so so much for your time Fidel. I will get back to you if I face any issues in the Production. We have few more requirements and will get back to you with new tickets asap. Hope you won't mind :)

    Nikhil

  25. Nikhil reporter

    One more question for existing requirement:

    Can we set a fixed resolution as Service recovery once the issue is created and auto close the create Jira ticket for DOWN alert?

  26. Log in to comment