Processor: Match String

The Max String processor checks that a string matches a regular expression. It accepts text series on input, for each series it configures a check that verifies if the input value matches the configured regular expression. Regular expression syntax is PCRE-compatible. Note that regexp matching is done in a partial mode, so if the full match is needed, regular expression needs to be specified accordingly. The output series contains anomaly values, such as ‘false’ and ‘true’.

Input Types - Time-Series (TS), TSTS

Output Types - Discrete-State-Set (DSS)


Graph Query (graph_query)

One or more queries on graph specified as strings, or a list of such queries. (String will be deprecated in a future release.) Multiple queries should provide all the named nodes referenced by the expression fields (including additional_properties). Graph query is executed on the “operation” graph. Results of the queries can be accessed using the “query_result” variable with the appropriate index. For example, if querying property set nodes under name “ps”, the result will be available as “query_result[0][“ps”]”.

In collector processors (*_collector, if_counter) it is used to choose a set of nodes for further processing (for example, all leafs, or all interfaces between leaf and spines)

In other processors it is used for general parameterization and it is only supported as a list of queries.

Fabric Interfaces Example
   graph_query: "node("system", role="leaf", name="system").
                 node("interface", name="iface").out("link").
                 node("link", role="spine_leaf")"
Leafs and Spines using two queries Example
   graph_query: ["node("system", role="leaf", name="system")",
                 "node("system", role="spine", name="system")"]

Non-collector processors containing the graph_query configuration parameter, can be parameterized to use data from arbitrary nodes in the graph, such as property set nodes (as of version 3.0). Property sets allow you to parameterize macro level SLAs for individual business units. In the example below, graph_query matches a node of type property_set with label probe_propset. It’s accessed using the special query_result variable, where Index 0 means it’s the first node in query results. If a query returned N nodes, they could be accessed using indices starting from 0 to N-1. ps is what the actual node is referred to in the query; the rest depends on the structure of the node. The int() casting is required because values of property_set nodes are strings. Here it’s assumed that a property set node has the label probe_propset and that the value accumulate_duration was already created.

graph_query: [node("property_set", label="probe_propset", name="ps")]
duration: int(query_result[0]["ps"].values["accumulate_duration"])

Another example is a that probes can validate a compliance requirement; the compliance value may change over time and/or it can be used by more than one probe. Also, a probe can validate NOS versions on devices. In this case, property sets can be used to define the current NOS version requirement. If it changes tomorrow: change the property set value, instead of going under the probe stage.

Regular Expression (regexp)
Expression that evaluates to a PCRE-compatible regular expression.
Anomaly MetricLog Retention Duration
Retain anomaly metric data in MetricDb for specified duration in seconds
Anomaly MetricLog Retention Size
Maximum allowed size, in bytes of anomaly metric data to store in MetricDB
Anomaly Metric Logging
Enable metric logging for anomalies
Enable Streaming (enable_streaming)
Makes samples of output stages streamed if enabled. An optional boolean that defaults to False. If set to True, all output stages of this processor are streamed in the generic protobuf schema.
Raise Anomaly (raise_anomaly)
Outputs “true” and “false” values, “true” meaning an appropriate item is anomalous, and “false” meaning the item is not anomalous. When Raise Anomaly is set to True, an actual anomaly is generated in addition to a sample in the output.

Match String Example

regexp: "os_version_pattern"

Sample Input (TS)

[device=leaf1,os_version_pattern=^4.[7-9].[0-9]+$] : 4.1
[device=leaf2,os_version_pattern=^4.[7-9].[0-9]+$] : 4.7

Sample Output (DSS):

[device=leaf1,os_version_pattern=^4.[7-9].[0-9]+$,regex=^4.[7-9].[0-9]+$] : "true"
[device=leaf2,os_version_pattern=^4.[7-9].[0-9]+$,regex=^4.[7-9].[0-9]+$] : "false"