3 Replies Latest reply on Nov 2, 2012 2:47 PM by Carlos Slone

    Time frame in execution rule

      Share This:

      Hi,

       

      I use an execute rule to send out emails when an event opens and closes.

      I have a policy configured to change the status of events to blackout during a define period.

      I was able to write the code so that no events are emailed when the status of the event is Blackout, but when that event gets closed, during the blackout period, an email gets sent out. I'm trying to find a way to stop it.

      And I would also like to be able to send the events that are reopenned after the blackout period is over.

      I know there's a time frame function, but I can't figure out how to write the code to make it work.

       

      Anyone able to help me out?  Thanks.

       

      Here's the rule I have right now:

       

       

       

      execute send_email_Pnet: EVENT ($AMP)
      when $AMP.severity: != UNKNOWN
      {
        if ($AMP.status != BLACKOUT) then
        {
      if ($AMP.IA_incident_config != "") then
      {  
        if ($AMP.IA_host == "zeke") then
        {
         execute($AMP, "ticketing_zeke", [], YES);
        }
        else
        {
         execute($AMP, "ticketing", [], YES);
         execute($AMP,  $AMP.IA_email_script, [], YES);
        };

      else
      {
        execute($AMP,  $AMP.IA_email_script, [], YES);
      };
        };
      }

      when $AMP.status: equals CLOSED
      {
      if ($AMP.IA_class != "windows event") then
      {
        execute($AMP, $AMP.IA_email_script, [], YES);
      };
      }
      END

        • 1. Re: Time frame in execution rule

          What I see happening is that the rule triggers when the status changes to CLOSED (regardless of what its previous status was).

           

          It may help to include the status != BLACKOUT condition in the rule's original ECF statement; that way, the when statement doesn't actually trigger for events that were in a BLACKOUT status before.

           

          execute send_email_Pnet: EVENT ($AMP)

          where [ $AMP.status != BLACKOUT ]

          when ...

           

           

           

          Carlos

          • 2. Re: Time frame in execution rule

            Thanks Carlos, I'll try that.

             

            Is it possible to add more than 1 condition in a when?

            Like this:    where $AMP.status != BLACKOUT AND $AMP.severity != INFO

             

            Thanks,

            Philip

            • 3. Re: Time frame in execution rule

              Although I have never used multiple criteria for a when statement, I took a peek at the KB reference guide, and it looks like it may be possible.

               

              This is an example I saw there:

               

              execute Exec1: EVENT($E) where ...

              using { NOTIFY_RULE($N) where [$N.object_class == $E.mc_object_class] }

              when($N.trigger_slot,$N.trigger_op,$N.trigger_expr)

              {

              ...

              }

               

               

              On the other hand, if you don't want the rule to apply to any INFO events, I would just include the status != INFO clause in the WHERE statement at the top rather than the WHEN statement.

               

               

              Carlos.