cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Declarative process grouping - what is the format of the detection rule definition condition?

fstekelenburg
DynaMight Pro
DynaMight Pro

The documentation on the conditions in the Detection rule definition of a Declarative process group is not very elaborate. it is somewhat clear that you do not need to use quotes for the value (e.g. svc  in $contains(svc)), but what in situations the arguments contains quotes and spaces?

 

Especially when it comes to command line arguments, that can be used as property.
For example this situation, a process is started like:
  

  myprocess.exe -instance"MYUI interface" -domain"c1234"

Questions:

  • the command line arguments can contain also (double) quotes. How to deal with quotes?
    $contains(c1234) works. But $contains(-domain"c1234") or $contains(-domain\"c1234\") do not.

  • and when there are spaces?
    It looks like $contains(MYUI interface) works. It doesn't with quotes.

  • does the $eq and $contains look at the whole range of command line arguments, or individual ones?
    Like, should I be able to use for command line arguments: $eq(-d -p -id=10)
    Or need these all be separate detection rules?

    And, do I get a match when I use $eq(-d -p -id=10)  or when I use $eq(-d)


    $contains(svc) – Matches if svc appears anywhere in the process property value.
    $eq(svc.exe) – Matches if svc.exe matches the process property value exactly.
    $prefix(svc) – Matches if app matches the prefix of the process property value.
    $suffix(svc.py) – Matches if svc.py matches the suffix of the process property value.

    Documentation: Declarative process grouping | Dynatrace Docs
1 REPLY 1

fstekelenburg
DynaMight Pro
DynaMight Pro

Oke, here is the answer, after a session with One Support, who had to inquire with the responsible team internally as well:

 

  • Quotes - it is possible to use quotes when defining the rules, but the caveat is this: 
    If the command line arguments looks like: ./sleep --test=\"aaa\"
    The rule should be $eq(--test="aaa")
    But if the command line arguments look like ./sleep --test="aaa"
    Then the rule should be $eq(--test=aaa)
    Note: this is a bit tricky and appears reversed. You can see in the definitions through the API that Dynatrace adds the \ to the quotes. 

  • Spaces - spaces can be used without problem. Taking in account the possible use of quotes above.

  • Arguments - every argument needs to go to a different rule


So, to capture the example from the original question above, myprocess.exe -instance"MYUI interface" -domain"c1234", you need to create two rules:

1st rule: $eq(-instance MYUI interface)
2nd rule: $eq(-domain c1234)