Querying for specific messages within the EventDB cronk within icinga-web
There is no easy way to access an interface to query the Message field for events recorded into the EventDB database. But it is quite easy to perform a query.
In the EventDB cronk:
1) click on Filter> edit
2) Click on the “Advanced” tab
3) Under “Filter by message,” click the Add button
4) You can Include/Exclude strings, or match a regular expression. Remember the following syntax is your friend:
.*error\ occurred\ during\ logon.*
5) Once modified you can easily save and share your cronks with your team, effectively creating interactive and live reports:
– right click on the cronk tab> rename if you wish then> “Save cronk as”
– Select an image
– You can create a new category here like “Go Team” or just use an existing category
– You can share the access to your cronk with other users and groups
– It will then be listed in the left side menu under the selected category.
You must give the user the icinga.cronk.custom right in order for the user’s cronk to be saved to the DB. Otherwise, you will be able to effectively save the cronk, but the backend DB entries won’t be there, so the page will fail to load.
This is quite useful to test regex for nxlog conf conditionals in Exec statement:
$Message =~ /.*select\ \*\ from\ HP_AlertIndication.*/\
Maybe one of these days I’ll write a Jasper report.