Matching conditions for the Rules Engine

About matching conditions in rules for Splunk On-Call alerts.

Matching conditions determine when a rule is applied. You can choose any field that exists within the payload of an alert and match on a specific value for that field using a direct match, wildcard matching, or by using a regular expression.

Requirements

This integration is compatible with the following versions of Splunk On-Call:

  • Enterprise

Field names

When viewing an incident in the timeline, field names are on the left and values are on the right:

Field names on the left and values on the right.

In the previous example, the field of interest is the entity_display_name field and the value that matters is the phrase This is an incident!. The matching condition is the following:

Alert Rules Engine, when entity_display_name matches *this is an incident* wildcard match set.

Routing key matching

In addition to wildcard and regular expression matching, you can explicitly define routing key matching via the Associated routing key selector. This provides AND logic to the matching parameters specified in your wildcard or regex matching section.

Note: Routing key matching via the Associated routing key selector is unable to match on other routing keys via the top-bar Wildcard or RegEx matching criteria or manipulate routing keys via the Transform these alert fields section. It only provides an AND matching condition, specifically for a routing key, for use alongside your other matching and transformation parameters.

Wildcard matching

Rules can match an alert field value using a simplified wildcard syntax to match some or all of the string. The asterisk character (*) matches 0 or more characters and you can use it anywhere in the match pattern.

Wildcard examples

Phrase

Matches

Does Not Match

*.mydomain.tld

www.mydomain.tldwww.subdomain.mydomain.tlddb778.mydomain.tld

mydomain.tldx.mydomain.tld/with/a/long/path/suffix.html

db-*.*

db-123.foobar.bazdb-abc123.bazfoo.bar

db000.barfoo.bazdb-123

*db-mydomain*

123 db-mydomain abc``|br| ``foo-db-mydomain-bar

db123-mydomaindb.mydomain

Matching with regular expressions

Regular expressions are characters that define search patterns. To set a rule to use regular expressions, change the menu option to RegEx Match. If you don’t see the option, contact support to turn on the advanced configuration.

Note: Regular expression rules are subject to timeout and automatic deactivation in the event the crafted expression poses a risk to the stability of your Splunk On-Call instance.

The following limitations apply:

  • Compatible with Java regular expressions.

  • Expressions are currently limited to 128 characters.

  • Add (?si) to the beginning of your regular expression to match multi-line input in a non-case-sensitive way.

  • As the previous technique matches the entire input string, you might need to add .* at the beginning and at the end of your regular expression.

Regular expression examples

Phrase

Matches

Does Not Match

^\d+(\.\d+)?

22.4505.125

b2.4version 2.4

^\d{3}-\d{3}-\d{4}$

123-123-1234111-222-3333

number: 123-123-1234123-123-1234 US

\w{2,}

ababcabcd123abcdabcd123

1a11a

c(at|ar)?

catcarcatalystcarbona la carte

chartclark

Boolean logic

You can use disjunction logic (OR) by replicating a rule with a different matching condition.

A set of sequential rules, when ordered correctly, can achieve basic AND logic in the Rules Engine. As with scope limiting rules, the first rule must create a new field which can be acted upon by a subsequent rule.

Rule processing order

Alert Rules uses three criteria to determine the processing order:

  • Top-to-bottom order of the alert rules

  • The optional Stop after this rule has been applied setting on each rule

  • Rules with a matching routing key based on the Associated routing key

For each ingested alert, all rules without a matching Associated routing key will process based on the top-to-bottom order. If a rule matches with the Stop after this rule has been applied setting, it will stop the application of alert rules for that alert. Lastly, rules with a specific matching routing key based on the Associated routing key are applied. These rules are applied last so they can match on the final routing key of an alert, in case this value is changed by a different alert rule.

AND logic example

In the following example, you want to capture disk space from the entity_id field, as well as the name stage-db-26 from the host_name field to convert these alerts to INFO events only when both conditions are met.

The matching condition for the first rule catches the first desired phrase and use variable expansion to import the value of the second field into a newly declared field.

Splunk On-Call Alert Rules Engine, when entity_id matches *disk space* set new_matching_field to ${{host_name}}

The matching condition for the second rule, which you must position below the first rule, checks the newly declared field for the value stage-db-26 and takes the appropriate action.

VictorOps Alert Rules Engine, when new_matching_field matches *stage-db-26* set message_type to INFO