String processing method use cases for extracting text from an integration payload

Opsgenie has String Processing Methods available for pulling specific text out of an integration payload. This article will show two string processing method use cases for extracting text from two different integration types. 

 

Email Integration

If a monitoring tool can send both alarm and recovery emails, Opsgenie can automatically close the alerts with some extra setup. This is mostly a two step process:

1. Decide on CREATE and CLOSE keywords in the email. This is most often either a flat UP/DOWN status or a severity like CRITICAL/WARNING/OK.
   
   a. In this example my printer send an email when it’s out of paper - here’s the message body:

   <Status Notification >
   
   The device status is [No Paper]
    
   
   
   <Node Information>
   
   Name: office_printer
   
   Model Name: Brother HL-L2380DW series
   
   Location: Home Office
   
   Contact: admin@home.farm
   
   IP Address: 12.3.100.38
   
   Device serial number: U63886451427
   
   URL: http://12.3.100.38
   
   Page Count: 353
   
   Drum Count: 353

   The <Status Notification> is always at the top of the email, making it a good keyword for the create alert action in the email integration. For this example in the create alert action, we add a filter where Message Starts With '<Status Notification >':
   
   

   b. Once the printer has paper again, it sends a similar email except the <Status Notification> is replaced by <Restoration Notification>:

   <Restoration Notification >
   
   The [No Paper] problem was resolved 
   
   
   <Node Information>
    
   Name: office_printer 
   
   Model Name: Brother HL-L2380DW series 
   
   Location: Home Office 
   
   Contact: admin@home.farm 
   
   IP Address: 12.3.100.38 
   
   Device serial number: U63886H7N451427 
   
   URL: http://12.3.100.38 
   
   Page Count: 353 
   
   Drum Count: 353
   

   
   Using the <Restoration Notification> in this example for the email integration close alert action will work well. In the close alert action, we add a filter where Message Starts With '<Restoration Notification >':
   
   
   
2. Set the integration’s alias field so that Opsgenie can find the matching open alert when a recovery message is received. Without this step, Opsgenie would see <Restoration Notification> and attempt to close an alert, but it won’t know which alert to close.
   
   a. Usually fields like hostname, IP address, service name, or a combination work well for the alias. We’ll use string processing to make one for my printer:
   
   i. Hostname: This is a good place to start since it makes the alert unique to each printer. That is, if multiple printers are out of paper at the same time they will each create their own alert.

Name: office_printer

substringAfter() works well here since it’s all on one line:

{{message.substringAfter("Name: ")}}

We can also get the same result with extract():

{{message.extract(/Name: (\S+)/)}}

ii. Service Name: Combining this with the hostname ensures I can still get alerts for other types of issues with the same printer.

The device status is [No Paper]

Here 'No Paper' is what we want to extract - but really we want whatever is in between those brackets:

{{message.substringBetween("[","]")}}

Again, we can get the same result with extract() too:

{{message.extract(/\[([\S ]+)\]/)}}

 

Combining hostname and service name in the alias field should leave you with something like this: 

{{message.substringBetween("[","]")}}_{{message.extract(/Name: (\S+)/)}}
            ^service name^                                               ^hostname^

Remember to change the alias for the create AND close alert actions of the integration! 

After setting up the alert’s action filters and alias I don’t have to bother going into Opsgenie to manually close the alert after putting more paper in the printer - Opsgenie can take care of that for me. More importantly, it keeps the alert dashboard clean and manageable without any extra effort by a user.

Applying this idea to every integration possible is an important part of getting value out of a tool like Opsgenie.

 

 

 

---

Amazon Incoming SNS Integration

This payload is from an Incoming SNS integration. The most important information is usually in the Message field, which is sent to Opsgenie as escaped JSON - meaning Opsgenie just treats the whole thing as a massive blob of text:

{
"Type": "Notification",
"MessageId": "1d8a9ec9-5536-594e-bbbb-cbb85b720e50",
"TopicArn": "arn:aws:sns:us-east-1:1234567890:cloudwatch_alarm_sns",
"Subject": "OK: \"lambda_invocation_total\" in US East (N. Virginia)",
"Message": "{\"AlarmName\":\"lambda_invocation_total\",\"AlarmDescription\":null,\"AWSAccountId\":\"1234567890\",\"NewStateValue\":\"OK\",\"NewStateReason\":\"Threshold Crossed: 1 datapoint [1.0 (05/06/19 00:20:00)] was not greater than or equal to the threshold (2.0).\",\"StateChangeTime\":\"2019-06-05T00:25:40.667+0000\",\"Region\":\"US East (N. Virginia)\",\"OldStateValue\":\"INSUFFICIENT_DATA\",\"Trigger\":{\"MetricName\":\"Invocations\",\"Namespace\":\"AWS/Lambda\",\"StatisticType\":\"Statistic\",\"Statistic\":\"AVERAGE\",\"Unit\":null,\"Dimensions\":[],\"Period\":300,\"EvaluationPeriods\":1,\"ComparisonOperator\":\"GreaterThanOrEqualToThreshold\",\"Threshold\":2.0,\"TreatMissingData\":\"- TreatMissingData: notBreaching\",\"EvaluateLowSampleCountPercentile\":\"\"}}",
"Timestamp": "2019-06-05T00:25:40.723Z",
"SignatureVersion": "1",
"Signature": "RKIlc+yaxHTR55cFqB/4+FDjtQB53qVbtWjiuaGxMJ6XWEk5eNtIdcPUmmbghHwvlKhZ6y9Y19qOmdHVuILE4nW7Zr3R1TO12Sy3iQM4KVjMAU6cPkORPyp3J2Q0XHaz0ayinN+6RBaXCV9OcQn/cTg/rwsrny+itsJHJ7t4VGfnUyAxmL7XNnl9jFszSLa21JTcxL/TLbS09hb0gy1gB4ROU7EJR/YPqCHAJxAjDDyIxHKfKheMozQ12E0E6q4oiWtVXLhj9rLRso9FzBwtjGheBxIgfviKCwWiGxZ13A+azYJDDYXgwfEVT7scwEc69NrsAkc/9Mv6sqAz9sgf0g==",
"SigningCertURL": "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-f.pem",dasdf
"UnsubscribeURL": "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:1234567890:cloudwatch_alarm_sns:4f2c8e78-f5c1-4cf4-95d8-1238e2b42038"
}

Let's try extracting 'MetricName':

A quick look at Message shows MetricName is buried pretty deep. Since there’s text on both sides of it, we’ll have to use substringBetween("before", "after"):

"...\"Trigger\":{\"MetricName\":\"Invocations\",\"Namespace\":..

 

Using MetricName should be a good reference for the “before” value, but what about the “after” or the quotes/slashes between them? Since the quotes and slashes are processed as strings and will always be there, just include them in the substringBefore() statement.

{{Message.substringBetween("MetricName\":\"", "\"")}}

 

That will let us extract MetricName each time SNS sends us data, no matter what the value is. This time it’s 'Invocations', but if the next alarm is for ApproximateNumberOfMessagesVisible it'll be able to extract that value instead without making any changes.

 

 

In order to ensure that we continue to provide useful content, please let us know if this Article is helpful (Thumbs Up/Down). Also, to help us improve, feel free to provide additional feedback (directly in the community).