1. Home
  2. Transmogrifier
  3. Transmogrifier: Matching Conditions

Transmogrifier: Matching Conditions

Requirements

Versions Supported: Enterprise

VictorOps Version Required: N/A SaaS

The matching condition will determine when this rule should be applied. You can choose any field that exists within the payload of an alert and match on a specific value for that field using a direct match, wildcard matching, or by using a regular expression.

By default the Transmogrifier is only enabled for wildcard matching. If you would like to enable the advanced configuration for use with RegEx please contact support at victorops-support@splunk.com

When viewing an incident in the timeline, field names are on the left and values are on the right:

In the above example, the field of interest is the entity_id field and the value that matters is the phrase “This is a test”. The matching condition, therefore, is the following (wildcard matching used in this example, hence the “*” asterisks).


Wildcard Matching

Rules can match on an alert field value using a simplified wildcard syntax to match some or all of the string. The asterisk “*” character matches 0 or more characters and the “?” character matches exactly one character. They can be used anywhere in the match pattern, as many times as needed.

Wildcard Examples:

PhraseMatchesDoes Not Match
db?.mydomain.tlddb2.mydomain.tld
dbx.mydomain.tld
db0.mydomain.tld
db.mydomain.tld
db14.mydomain.tld
db-main.mydomain.tld
*.mydomain.tldwww.mydomain.tld
www.subdomain.mydomain.tld
db778.mydomain.tld
mydomain.tld
x.mydomain.tld/with/a/long/path/suffix.html
db-???.*db-123.foobar.baz
db-abc.bazfoo.bar
db-abc123.foobaz.bar
db000.barfoo.baz

Matching with Regular Expressions (RegEx)

Regular expressions are characters that define search patterns. To set a rule to use regex, simply change the drop down option to “RegEx Match”. If you do not see the option, please reach out to support to enable the advanced configuration.

Some limitations to keep in mind:

  • Expressions are currently limited to 128 characters
  • There is a strong chance you will want to add (?si) to the beginning of your regex to match multiline input in a non-case-sensitive way.
  • This will have to match the entire input string, so you may need to put .* on the beginning and end of your regex.
  • Compatible with Java regular expressions
  • We recommend using a RegEx validator like RegEx Planet to ensure proper syntax

Regular Expression Example

PhraseMatchesDoes Not Match
^\d+(\.\d+)?2
2.4
50
5.125
b2.4
version 2.4
^\d{3}-\d{3}-\d{4}$123-123-1234
111-222-3333
number: 123-123-1234
123-123-1234 US
\w{2,}ab
abc
abcd
123abcd
abcd123
1
a1
1a
c(at|ar)?cat
car
catalyst
carbon
a la carte
chart
clark

AND / OR Logic

OR logic can be achieved by simply replicating a rule with a different matching condition.

Using a set of sequential rules, when ordered correctly, can achieve basic AND logic in the Transmogrifier.  As with scope limiting rules, the first rule must create a new field which can be acted upon by a subsequent rule.

AND Logic Example

Let’s say you want to catch the phrase “disk space” from the entity_id  field AND the name “stage-db-26” from the host_name  field to convert these alerts to INFO events only when both these conditions are met.

The matching condition for the first rule will catch the first desired phrase and use variable expansion to import the value of the second field into a newly declared field.

TransmogScopeLimit2

The matching condition for the second rule (MUST BE POSITIONED BELOW THE FIRST RULE!) checks the newly declared field for the value “stage-db-26” and takes the appropriate action.

TransmogAndLogic2

Updated on July 12, 2019

Was this article helpful?

Related Articles