Moogsoft Docs

Try It Yourself: Parse Hostnames

In this lab, you will:

  • Use regular expressions in a Workflow Engine function to match patterns in hostnames and extract information.

  • Construct a workflow to get location information for events from the 'source' field and enter it into the 'agent_location' field.

Examine the Data

Load sample data into your lab instance and decide how you want to process it.

  1. Clean up the data from the previous lab by closing any open alerts and all but one Situation.

  2. If there is no open Situation, generate one manually. (See the Mini Lab for instructions on how to do this.)

  3. Go to the Collaborate tab of your Situation’s Situation Room. Type @moog get_lab_events Hostname into the comment box to bring in the data for this lab.

  4. Confirm the data doesn’t have values in the 'Agent Host' column. From the Open Alerts list, go to the View menu in the upper right and select 'Agent Host'. (Agent Host is the UI column title for the Moogsoft AIOps 'agent_location' event field.) Scroll right to look at the column and you’ll see that there are no entries.

  5. Inspect the Host column. Here you’ll see the hostnames for the computers that are being monitored by your hardware monitoring system. (Host is the UI column title for the Moogsoft AIOps 'source' event field.)

  6. Notice the pattern for the hostnames. Each hostname has four alphanumeric segments separated by hyphens. The location of each computer, either Seattle or San Jose, is encoded in the third segment. You decide you want to extract that information so you can use it for sorting and filtering alerts and Situations. You could generate a custom_info field, but since the 'agent_location' field is empty you decide, for simplicity’s sake, to use it to store location.

Define a Workflow

Define a workflow to extract location from the hostnames.

  1. Go to Settings>Automation>Workflow Engine>Event Workflows and choose 'Add Workflow'. On the left there is a column where you will add actions which will process events sequentially, and on the right you’ll see the workflow definition pane.

  2. Leave the default first action, a delay of 0 seconds, as is. Leave the workflow status slider in the upper right set to 'Active.'

  3. Name your workflow 'Get Location from Hostname'.

  4. In the description text box, enter 'Parse the 'source' field and copy location to 'agent_location''.

  5. You can use the entry filter to define criteria for the events your workflow will process. You want to extract the location from all the events in your hardware monitoring data, so you don’t actually need to use a filter right now. However, if you add another input later, its source field might not have the same format. You can clarify your intent and avoid future problems by defining a filter based on data source now. Click on 'Edit' and 'Add Clause'.

  6. Use the dropdown and text boxes to define the filter ''manager' = 'HWMON'' so that your workflow only processes events from your hardware monitoring system. Click 'Apply' and then 'Done'.

Add Workflow Actions

  1. Click on your event workflow and then 'Edit'. Choose 'Add Action' in the upper left.

  2. Name your action 'Parse Hostname to Extract Location'.

  3. In the function dropdown box, choose 'searchAndReplace'. Examine the arguments. The search and replace function is powerful, but its arguments are complex. You need to know the name of the Moogosft AIOps event field you want to search. You need to define the text you want to search for using regular expression syntax, and you need to describe how to replace it using JSON (Javascript Object Notation).

  4. Under 'field' you need to enter the name of the field you want to search. Enter the field name for the Host column, which is 'source'.

  5. Next, you need to enter the pattern that you are looking for. The 'expression' text box expects a string in Javascript regular expression syntax. The regular expression '(\w+)-(\w+)-(\w+)-(\w+)' matches the hostname format:

    • If you enclose parts of a regular expression in parentheses, you can later extract those parts, or subgroups, based on their numerical order.

      You can match any "word" character, ie a letter, digit, or underscore, with '\w'.

    • Adding a '+' sign tells the regular expression interpreter to look for one or more characters of the preceding type, in this case "word" characters.

    • In Moogsoft AIOps, regular expressions are case-insensitive.

    • The hyphen character '-' matches itself.

    Enter the regular expression '(\w+)-(\w+)-(\w+)-(\w+)' without the quotes in the 'expression' text box.

  6. The third argument to the search and replace function is a JSON-formatted map which tells the Workflow Engine what field to replace (the key) and what text to replace it with (the value).

    • You want to extract the text for the third subgroup of the regular expression (the value) and put it in the 'agent_location' field (the key).

    • The syntax for the third subgroup is '$extract.3'.

    • You can have multiple key-value pairs separated by commas, though in this case you only have one field name and expression to map.

    • For valid JSON syntax, put curly braces around the entire argument, double quotes around the key and value strings, and a colon between them.

    Hence you can express your JSON key-value map as '{"agent_location":"$extract.3"}'. Enter this in the 'map' text box.

  7. You want all of the workflow events to keep processing after your action, so keep the forwarding behavior set to the default, 'Always Forward'.

  8. Save your workflow.

Test Your Workflow

Test your workflow by resending the event data.

  1. Reset your lab instance by closing the open alerts and all but one Situation.

  2. From the comment box on the Collaborate tab of your remaining Situation, resend the event data using the @moog get_lab_events Hostname ChatOps command.

  3. From the Open Alerts View menu, choose the Agent Host column. Verify that the location information from the Host column has been extracted and copied successfully.