Tuesday 28 April 2015

Splunk searchTemplate / postProcess How To Use Multiple Time Ranges in one form/dashboard

I used this code recently in a Splunk dashboard where i needed to have multple time ranges from one seachTemplate search. This code you can use in a searchPostProcess element to change the time range (in this case to 'yesterday')


eval ADayAgo=now()-86400 | eval yesterdayText=strftime(ADayAgo,"%Y-%m-%d") | eval yesterdayTextEnd=yesterdayText. " 23:59:59" | eval endEpoc=strptime(yesterdayTextEnd,"%Y-%m-%d %H:%M:%S") | where _time >endEpoc-86400 and _time <=endEpoc

Monday 27 April 2015

How to fix issue pasting text with comment # into linux causes subsequent lines of text to get double commented.

From time to time I paste text into scripts and config files into vi/vim on linux and you find doing so corrupts your text because there is a comment character # and every subsequent line gets commented.

If you are color coding you also find all the text after the first comment goes the comment color (say blue on black.)

I'm not a fanatical unix guy so for a long time I worked around this and found it quite infuriating. Here is how to avoid this when it comes up.

To solve this problem do:

  • Before entering insert mode run :set paste.
  • After you leave insert mode with :set nopaste.

Thursday 3 April 2014

SCOM Script Monitor Numeric Expressions Default To String

Here's a straighforward explanation of something I found took me a long time to figure out. I found lots of posts but none that explain this straight up...(also I'm sure I knew this 5 years ago when I was doing heaps of SCOM stuff but had since forgotten!)

If you make a SCOM scripted state monitor using say a vbscript and you want to check the result of a numeric value (say an integer), by default it does a string comparison not a numeric one.

Regardless of the variant type your script produces (note variant types listed here: http://www.culham.net/2012/scom/property-bags-and-variant-types ) the authoring gui's create a STRING type compare. This is because there is no datatype field on the SCOM editing screen (unlike say CA Spectrum event configuration where every value has to be typed explicitly).

For example say I return this with my MOM.ScriptAPI AddValue("diffThresholdMinusRun",iServiceCountThreshold-good)

this results in something like:
<DataItem type="System.PropertyBagData" time="2014-04-04T12:09:26.8984174+13:00" sourceHealthServiceId="2B60ADC4-15C5-0FE3-7FF8-1"></Property><Property Name="diffThresholdMinusRun" VariantType="2">-1</Property>...

Now I create a unhealthy expression in SCOM for >0 critical and <=0 OK. Unfortunately the comparisions default to STRING so don't work properly. Any negative value is evalutated as unhealth (becuase - is > 0 in string compare) For example

       <ErrorExpression>
            <SimpleExpression>
              <ValueExpression>
                <XPathQuery Type="String">Property[@Name='diffThresholdMinusRun']</XPathQuery>
              </ValueExpression>
              <Operator>Greater</Operator>
              <ValueExpression>
                <Value Type="String">0</Value>
              </ValueExpression>
            </SimpleExpression>
          </ErrorExpression>

The only way to fix this is to edit the management pack xml (in the 'edit' screen in authoring console or in xml editor) so that it has a valid numeric type (say Integer).

 <ErrorExpression>
    <SimpleExpression>
      <ValueExpression>
        <XPathQuery Type="Integer">Property[@Name='diffThresholdMinusRun']</XPathQuery>
      </ValueExpression>
      <Operator>Greater</Operator>
      <ValueExpression>
        <Value Type="Integer">0</Value>
      </ValueExpression>
    </SimpleExpression>
  </ErrorExpression>

Wednesday 19 March 2014

SCOM Query to Show All Tasks Defined By Management Pack and Target Class

We've been looking at making better use of the built in tasks in SCOM recently. One of the biggest issues is that there are lots of tasks there but users don't realise they even exist because unless the select an object of the correct target class the pre-defined tasks are effectively invisible.

A common example is users select a windows computer object (which has one set of tasks) when if they selected a windows server operating system class object (in say the windows server MP view) htey will get a totally different set of possible tasks.

So I wrote this SQL query to dump out a list of all the tasks defined in your SCOM operations database (not the datawarehouse DB!).

Armed with this list you can easily find out what tasks exist and what target class you need to select to be able to execute them. Then using 'discovered inventory' you can specifically target a class of object to get the tasks you want (even if you don't know a canned view that targets objects of that type.)

SELECT     dbo.TaskView.Id, dbo.TaskView.Name, dbo.TaskView.DisplayName, dbo.TaskView.Description, dbo.TaskView.Category,
                      dbo.ManagedType.TypeName AS TargetClassName, dbo.TaskView.Enabled, dbo.TaskView.Timeout, dbo.TaskView.TimeAdded,
                      dbo.ManagementPack.MPName, dbo.ManagementPack.MPFriendlyName AS MPFirendlyName
FROM         dbo.TaskView LEFT OUTER JOIN
                      dbo.ManagementPack ON dbo.TaskView.ManagementPackId = dbo.ManagementPack.ManagementPackId LEFT OUTER JOIN
                      dbo.ManagedType ON dbo.TaskView.TargetMonitoringClassId = dbo.ManagedType.ManagedTypeId
ORDER BY dbo.TaskView.DisplayName

Thursday 13 March 2014

SCOM run as profile SSID in hex

it took me along time to find this post about how to convert a hex SSID value in a scom event to something where I could figure out what user was causing the problem.

reposting here so I can find it again next time!

http://social.technet.microsoft.com/Forums/systemcenter/en-US/0b9bd679-a712-435e-9a27-8b3041cddac8/how-to-find-the-runasaccount-from-the-ssid?forum=operationsmanagergeneral


Tuesday 14 January 2014

Spooky Number Times Table Game Released on Android Play Store

I launched my first android app this month that I created with Corona SDK. Its a educational times table game called Spooky Numbers Times Tables and can be found on the android store.

Spooky Numbers On Google Play

The game is free and a great way for kids of all ages to build their times table skills.

It also has a level editor so kids can make their own level to play in the game!

Sunday 17 November 2013

CA Spectrum Southbound Gateway - settting up a custom trap

I use SBGW quite a lot. there are two flavours of host we use:
 1) where its not modelled in spectrum we would use a eventadmin model as you already know 
2) if it already exists as a systemedge agent you have to do some special stuff. 
 
here is what I do say if I already have a unix systemedge agent for that same ip the trap will come from.
 a) create an eventadmin with a dummy ip address that will never exist in your network 10.1.2.3 or whatever say we call this APPX. note down its model handle. 
 
b) change model handle attribute for sysedge EventModelContainerHandle to other model handle of the APPX. 
Now when you get a sbgw event it will generate vs the EA model but the other events will still generate vs the origional systemedge model. If that is still not happening you have to make sure you have setup your events in a very specific way. 
 
Here is my tried and tested method for all the files to update and what to put in them. (note its not quite what you see in the manual about making a package etc its a short cut way!)
 
Usually you need to do an alert map for traps using special numbers as per the 'template' mentioned in teh southbound gateway guide. So this means editing the alertmap file that you usually get form importing a mib.
 
You need to mess about with it changing some of the trap fields around number 1-17 varbind to map to the 'template' in the manual. These identify special values in the trap that match to name, ip etc. The rest you rename to be >100 (that is the answer to the mystery of why some traps have like systemedge log watcher have varbinds >100!). So I usually find a few I want to map to the template (for example what will be the event model name) and then prefix all the others with 1xx so 1 might be 101, 2 would be 102 etc.
 
I usually put all my new traps in this file: /custom/Events/AlertMap (yes if you imported a mib you need to hunt them down in custom/Alertmap and comment out the old version that don't have SGBW template varbinds) 
 
The parts that are traps with sbgw specific traps I would put in this file also :
/SS/CsVendor/gen_app_gw/EventAdmin/AlertMap
 
then to make sure the changes persist past upgrades copy to a custom file like this 
/SS/CsVendor/gen_app_gw/EventAdmin/AM_components/MYEXAMPLE.aml
 
Each time you upgrade spectrum the cus script will cat all the aml files together to make  /SS/CsVendor/gen_app_gw/EventAdmin/AlertMap 
 
Here is an example of an alertmap for SBGW for oracle enterprise manager which has a trap we wanted to use SBGW for. It has 90+ varbinds but #21 has the device name we want to use for each event model.
So after importing OEM mib you will have them all as #1-90something not 101,102 etc.
 # oraEMNGEvent oraEMNGEventIndex 
1.3.6.1.4.1.111.15.2.0.3 0xfff05100 
1.3.6.1.4.1.111.15.3.1.1.1(101,0)\ 
# oraEMNGEventNotifType 
1.3.6.1.4.1.111.15.3.1.1.2(102,0)\ 
... # oraEMNGEventTargetName 
1.3.6.1.4.1.111.15.3.1.1.21(1,0)\ 
... 
see this row has (1,0) not 121,0 which means this varbind will be the NAME of all those lovely eventModels that will get created in the EA container. all the 100+ ones are just varbinds I will use in the event. 
 
This also means you have to edit any event rules you made off the mib so the 100+ etc map to what the varbinds were before. For traps like this with 90something varbinds that can mean a lot of time in notepad ++ or excel... so I would suggest get your SBGW template sorted first before you spend hours making event policies or all the event varbinds will have to be edited again. 
 
Now we update the eventdisp files.
 
1) EventModel eventdisp
/SS/CsVendor/gen_app_gw/EventDisp 
these events in this file are your full events just like the normal disp 
eg. (once again note the 10x for varbinds) 
0xfff05100 E 0 R { 11,21 } CA.EventCondition, "({v 105} == {S \"Critical\"})" , "0xfff05103 -:-","({v 105} == {S \"Warning\"})" , "0xfff05102 -:-","({v 105} == {S \"Fatal\"})" , "0xfff05104 -:-","default" , "0xfff05105 -:-"
0xfff05102 E 0 A 2, 0xfff05102,11,21 
0xfff05103 E 0 A 3, 0xfff05103,11,21 ...etc 
 
you also need to make sure they are on the end of an EVD file you make for you integration here: 
 /SS/CsVendor/gen_app_gw/EventAdmin/components/MYEXAMPLE.evd 
If you don't next time you upgrade spectrum your changes will get wiped when the cus script runs. 
MAKE EXACTLY THE SAME CHANGES TO THE GENERIC EVENT DISP FILE 
/custom/Events/EventDisp 
*** A WARNING HERE *** DONT TRY AND EDIT THESE EVENTS IN GUI OR THEY WILL GET MESSED UP AND MAKE FILES FURTHER DOWN TREE OF /custom/events/ that will mess things up. 
You should **only ever** have SBGW events in /custom in /custom/Events/EventDisp 
 
next the EventAdmin evendisp files
put pointers to your SBGW events in these files 
SS/CsVendor/gen_app_gw/EventAdmin/EventDisp 
/SS/CsVendor/gen_app_gw/EventAdmin/components/MYEXAMPLEEA.evd 
(this file is just to keep it permanent past the next .cus script) 
These events should just be pointers e.g 
# Oracle OEM 
0xfff05100 
0xfff05102 
0xfff05103 
*** PAY CAREFUL ATTENTION HERE PEOPLE *** if your model is SBGW enabled as per #2 at start of this post above you also need to edit its eventdisp file for systemedge this is:
 /SS/CsVendor/Ctron_Gen_HOST/Host_systemEDGE/EventDisp 
put the same pointers you put in the file above eg. 
# Oracle OEM 
0xfff05100 
0xfff05102 
bear in mind every time you upgrade spectrum from now on this file might get wiped by CA so you always have to manage it carefully!! There is no evd /aml files to preserve your upgrades on this file that I found. 
 
now later on you can edit the pcause and eventformat files in the gui but don't add/remove any SBGW related events except by editing all the files above and reloading spectrum.