Ad Widget

Collapse

Item PreProcessing RegEx

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • vexter0944
    Junior Member
    • Jan 2020
    • 16
    #1

    Item PreProcessing RegEx

    New to Zabbix but picking up steam quickly. Here's the question:

    I'm monitoring a Windows Event Log and it's coming in fine, but I on;y need 3 pieces of info from it and want to create 'fields' with those pieces of information by extracting them from the log with a regex so that they can be shown in a table in Grafana later.

    So the log looks like this:

    This log come from this item in the template: eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,21|22,,skip]

    Remote Desktop Services: Shell start notification received:



    User: DOMAIN\username

    Session ID: 81

    Source Network Address: 123.123.123.123

    The info in bold are the pieces I want to extract using item preprocessing with a regex - I have the regex's written and working in regex101.



    Using the info from the event above I posted - here's how it looks when I test:


    When I put 1 regex like this I get the expected data back as DOMAIN\username:

    Click image for larger version Name: 1_Regex.png Views: 1872 Size: 29.4 KB ID: 394421

    Click image for larger version Name: Domain_UserName_Returned.png Views: 1806 Size: 15.2 KB ID: 394422



    When I put 1 regex like this I get the expected data back as 123.123.123.123:

    Click image for larger version Name: 1_Regex_IP.png Views: 1766 Size: 26.9 KB ID: 394423

    Click image for larger version Name: IP_Returned.png Views: 1693 Size: 15.6 KB ID: 394424

    But when I put them together - the 2nd one ALWAYS fails. What I 'think' is happening is that the regex extracts the first value and attemts to extract the next regex from step 1 instead of the event in the event log. Which is not how I'd expect it to work. See screenshots:
    Click image for larger version Name: 2_regex.png Views: 1701 Size: 29.5 KB ID: 394426


    Attached Files
    Tags: None
    • vexter0944
      Junior Member
      • Jan 2020
      • 16
      #2
      Click image for larger version Name: Regex_test_all.png Views: 1654 Size: 28.7 KB ID: 394428

      Can anyone explain to me if I'm doing something wrong or misunderstanding preprocessing? I'd expect to get the Username and Password exacted as part of the event and then be able to work with those 2 fields in Grafana for the event is my end game.

      Thanks in advance for any help offered!!

        Comment

        • Markku
          Senior Member
          Zabbix Certified SpecialistZabbix Certified ProfessionalZabbix Certified Expert
          • Sep 2018
          • 1782
          #3
          Hi, so we are talking about configuring an item here. That's just that, *an* item, you cannot store two pieces of data in one item.

          Maybe use one item for the full data and then use two dependent items to parse the required fields from the master item. That's how I parse a complex MariaDB status output: one item grabs the data, and several dependent items parse that data one status item each.

          The dependent items are evaluated every time the master item changes.

          15 Dependent items
          https://www.zabbix.com/documentation/current/manual/config/items/itemtypes/dependent_items


          Markku

            Comment

            • vexter0944
              Junior Member
              • Jan 2020
              • 16
              #4
              Thanks - I thought about that angle - and ran down that path of the dependent item but couldn't get the dependent item to work (and I did work through the docs) - but when I went to add the dependent item and the key for it - I had duplicate keys and it wouldn't add the dependent item as a result.

              So I was thinking of dependent item use for this like this (and let me know if I had it wrong..)
              Master item would pull the whole event log entry for the Remote Desktop Service -
              eventlog[Microsoft-Windows-TerminalServices-LocalSessionManager/Operational,,,,21|22,,skip]

              Then setup a dependent item with the regex with the above event as the master. But when I did that it didn't work because of a duplicate key - I set it up with a similar key or something along those lines. Sorry if I'm foggy on what I tried as I've been working on this for a couple of days and trying several things.

              I'll try this idea again and see where I went wrong - but at least I've been validated that I was on the right track, I just stopped too early - lol!

              Please keep the ideas coming - I sure do appreciate the help and input!

                Comment

                • vexter0944
                  Junior Member
                  • Jan 2020
                  • 16
                  #5
                  OK - I have the dependent item working - now to get it to show up in Grafana - doesn't seem to show in the item list to pull from - only the master item shows, not the dependent - anyone seen or dealt with this aspect?

                    Comment

                    • vexter0944
                      Junior Member
                      • Jan 2020
                      • 16
                      #6
                      Posted too quick - refrshed the zabbix plugin in Grafana or waited long enough and the item now shows. Yay!

                      Thanks for putting me on a track - it's MUCH appreciated!

                        Comment

                        • vexter0944
                          Junior Member
                          • Jan 2020
                          • 16
                          #7
                          As a side note - it looks like when adding dependent items you have to referesh the data connector in Grafana for Zabbix by doing a save and test and the item will show up. This was at least how it worked for me in case anyone else runs into this.

                            Comment

                            Previous template Next
                            Working...