Currently, I have a single rule in /App/Blah/ That is effectively a giant python script with a list of if statements and an actions (severity changes etc.)
I'm led to believe by Jane_Curry that the intended way of using EventClassMappings is having multiple mappings, each with unique IDs and the same EventClassKey (all my custom applications are using the same eventClassKey).
These rules should then run in order of their sequence.
However, when I split out my 'giant python if statements from hell', in to separate mappins, they don't work. Putting all the mappings back into a single giant mapping works perfectly.
Anyone have ideas in where I might be going wrong?
Example:
In an individual mapping:
| Rule | |||||
| 'Push DISABLED due to' in evt.summary | |||||
| Regex | |||||
| Example | |||||
| Transform | |||||
evt.severity = 2 | |||||
| Explanation | |||||
| Resolution | |||||
Doesn't work.
However in my single giant mapping:
| Rule | |||||
| Regex | |||||
| Example | |||||
| Transform | |||||
| |||||
| Explanation | |||||
| Resolution | |||||
Works perfectly.
What gives?