This allows easy cloning and quick set of the data being pulled… then you can set normal thresholds and heads/tails (consecutive polls to raise/lower the alert).
Instead of cloining the DS, have the eventLog, eventID and timeSpan set as instance level properties on a multi-instance datasource. To create the instances with their ILPs, create a property that lists them all out:
Logon Failure|Security|4625|5,Something Else|Security|2346|10,Instance Display Name|eventLog|eventId|timeSpanThen your discovery script would look like this:
try{
hostProps.get("logSpanInstances").tokenize(",").each{instance ->
wildvalue = instance.replaceAll(/\|/,'_').replaceAll(" ",'_')
i = instance.tokenize("|")
println("${wildvalue}##${i[0]}######eventLog=${i[1]}&eventID${i[2]}&timeSpan=${i[3]}")
}
return 0
} catch (Exception e){println(e);return 1}With the above example, this would create the following instances:
Note this discovery script replaces the pipe and space characters in the instance to create the wildvalue.