Eventstream filter api question

petew · January 28, 2021, 5:04pm

the api documentation for Eventstream has examples on filtering - event-stream-filter

but it also says that events do not support filters - Overview

i’m not able to query the events using the example and just trying to understand where the issue may be:

curl -k -s -u 'user:pass' -H 'Accept: application/json' -X POST 'https://localhost:5665/v1/events' -d '{ "types": "CheckResult", "filter": "event.check_result.exit_status==2" }'

i’ve also tried using the "queue": "myqueue" to no avail either.

yhabteab · January 28, 2021, 7:47pm

Hello @petew,

It is a syntax error and is already fixed here, I just don’t know why the Icinga documentation is not changed. Try the following:

curl -k -s -u root:icinga -H 'Accept: application/json' \                                                                                                                     130 ↵
-X POST 'https://localhost:5665/v1/events' \
-d '{ "queue": "myqueue", "types": [ "CheckResult" ], "filter": "event.check_result.exit_status==2" }'

petew · January 28, 2021, 8:33pm

yes that works - thanks @yhabteab

now the million dollar question - how to use the filter method to pull other attributes - like host.address

yhabteab · January 28, 2021, 8:52pm

You can use it with the || or && operators e.g like this.

curl -k -s -u root:icinga -H 'Accept: application/json' \                                                                                                                     130 ↵
-X POST 'https://localhost:5665/v1/events' \
-d '{ "queue": "myqueue", "types": ["CheckResult"], "filter": "event.check_result.exit_status == 2 || host.address == \"127.0.0.1\"" }'

petew · January 28, 2021, 9:16pm

i meant pull back the host.address not query for it - something like "attrs": "event.host.address" or ?joins=host.address . looking at the documentation it seems like it should be possible

petew · February 11, 2021, 9:05pm

so i never figured out joins or attrs for the eventstream so i switched to cron job querying the api.

yhabteab · February 13, 2021, 4:28pm

Sorry for the delay!

But I did not really understand you what you want to achieve with it.

What I can tell you for sure is that "attrs": "event.host.adress" whatever you want to use it for would not work, because attrs is a Dictionary and such keywords need key and value. But you might want to have something like this.

curl -k -s -v -X POST -u root:icinga -H 'Accept: application/json' "https://localhost:5665/v1/events?queue=test&types=CheckResult&joins=host.address"

petew · February 15, 2021, 2:32pm

that works but it doesn’t return the host.address attribute:

{"check_result":{"active":true,"check_source":"icinga-satellite2","command":["/usr/lib/nagios/plugins/check_ping","-4","-H","<server-ip>","-c","5000,100%","-w","3000,80%"],"execution_end":1613398336.68417,"execution_start":1613398332.646324,"exit_status":0.0,"output":"PING OK - Packet loss = 0%, RTA = 11.38 ms","performance_data":["rta=11.382000ms;3000.000000;5000.000000;0.000000","pl=0%;80;100;0"],"schedule_end":1613398336.684234,"schedule_start":1613398332.645893,"state":0.0,"ttl":0.0,"type":"CheckResult","vars_after":{"attempt":1.0,"reachable":true,"state":0.0,"state_type":1.0},"vars_before":{"attempt":1.0,"reachable":true,"state":0.0,"state_type":1.0}},"host":"<server-name.com>","timestamp":1613398336.686663,"type":"CheckResult"}

i’ve switched to using a cron job to query api for services which will allow joins to pull host.address and other custom vars.

thanks for the help.