# Create the dedup id; This is what zenoss normally does to the event to ascertain if # it is a duplicate (another occurance) of an existing event. We are doing it in this # transform to be able to reference the count variable, which does not come with an # incoming event. dedupfields = [ evt.device, evt.component, evt.eventClass, evt.eventKey, evt.severity] if not evt.eventKey: dedupfields += [evt.summary] mydedupid = '|'.join(map(str, dedupfields)) # Get the event details (including count) from the existing event that is in the mysql database em = dmd.Events.getEventManager() em.cleanCache() try: ed = em.getEventDetail(dedupid=mydedupid) mycount = ed.count except: mycount = 0 # Do what you like with the count; # In this example we up the severity to CRITICAL if the count is > 3 if mycount > 3: evt.severity = 5 * transform: change severity dependent on count # If we have a Ping based device, we lower the severity on ping down # We also have to assure that clear events, events that mean ping is working again, # dont get their severity changed if "Ping" in getattr(evt, "DeviceClass", None) and evt.severity != 0: evt.severity = 1 * transform: all events that come in from a certain device class, have their severity changed * Often put in /Events to get all events * If you have many events, putting it in /Events will cause all events to be evaluated through this * this can possibly be a bottleneck