skywalka/splunk-for-nagios

Migrate to macros

Opened this issue · 6 comments

I think it may be useful to migrate the searches in the XML to something powered by a couple of macro's that way rather then update the XML on Install, we can have a setup screen that just updates the macro!

very good idea @tfhartmann !!! would you be willing to take a crack at this?

Sure! I'm happy to give it a go!

sweet, let me know if you have any questions or queries :)

I made some pretty good progress today, one thing I was thinking was an option for users who have hostgroup and servicegroup lookups working with livestatus is to use that data to create lookup tables for servers/network devices to populate the pulldowns. I know in my production version I just changed the search to filter more closely on name, but I already did this when I separated stuff out into hostgroups! That macro looks like this at the moment:

earliest=-24h index="nagios" nagiosevent="CURRENT HOST STATE" | rex ".+CURRENT HOST STATE: (?P[^;])(?=;)" | lookup local=true nagios-hostgroupmembers host_name AS src_host | search hostgroup=$hostgroup$* | stats count by device | outputlookup $lookupfilename$

This search could then be run on some schedule populating local lookup tables to provide faster pulldowns!

On Nov 28, 2012, at 6:01 PM, Luke Harris notifications@github.com wrote:

sweet, let me know if you have any questions or queries :)


Reply to this email directly or view it on GitHub.

I have been thinking more on this and wanted to know if you could append new hosts instead of overwriting the lookup table? This would be useful when you decommission a host in nagios but you still want to see it appear in the hostname list in Splunk to refer to historical data :)

👍

I like that idea!
On Sep 5, 2013, at 1:31 AM, Luke Harris notifications@github.com wrote:

I have been thinking more on this and wanted to know if you could append new hosts instead of overwriting the lookup table? This would be useful when you decommission a host in nagios but you still want to see it appear in the hostname list in Splunk to refer to historical data :)


Reply to this email directly or view it on GitHub.