Hey Community,
Regex noob here. Here’s my situation. We receive offline alerts from Datto (no integration I know…)
There’s a scenario where, “if 2 of these endpoints go offline and are in the same Azure subscription, within 10~ish mins of each other, we likely have a network outage issue”
Here is an example of the live offline alerts subject (both of them).
- IO / AE GBAZAUIO1 for site Aug21 Build Test2 has gone offline!
- MS1 / MS01 GBAZAUMS1 for site Aug21 Build Test2 has gone offline!
I created my rule as a Global Event Rule and my rules/regex are as follows.
I’ve used a couple little variations of my core regex, headers.subject matches regex .{6}(?:MS | IO), I’ve also separated them individually .{6}(?:IO) and .{6}(?:MS)
The piece that’s missing is the ability to say, “Only group and alert when you see the first 6 characters before IO or MS matching”
I can get the alert to trigger without issue. But I don’t want it to trigger if only one of the 2 workstations go offline.
Help?
