Create an event rule in advanced view

Use the advanced view to create an event rule with regular expressions (regex). Event rules use the fields from the event to generate alerts.

Before you begin

Role required: evt_mgmt_admin or evt_mgmt_operator

About this task

After you add advanced mapping information to the event rule, it may not be viewable from the simple view. For example, the simple view cannot open an event rule that contains regex patterns such as \b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b. An error message reminds you that the rule cannot be viewed in simple mode.
Options to create the rule are:
  • Create an empty event rule and assign event fields for alert generation.
  • Create a rule from an existing event or groups of events that do not have a rule, so the event fields are copied to the Event Match Fields section of the rule.
Note: Event rules that are not configured to perform any action are skipped. Therefore, if the rule is not configured as ignore, threshold, or binding, it is important to specify either the match or the compose fields.

Procedure

  1. Navigate to Event Management > Rules > Event Rules.
  2. Do one of the following:
    OptionDescription
    Create a new event rule
    1. Click New.
    Create an event rule from an existing event
    1. Near the top of the form, click the link for events or grouped events that are not mapped to rules.
      Example wording of the link: "You have 4 Events and 2 grouped events that are not mapped to rules.
    2. Select the event that you want to use for creating the rule.

      The event fields are copied to the Event Field Rules section of the rule.

    3. Click Go to advanced mode.
  3. Fill in the Name, Source, and Order fields.
  4. (Optional) Use the fields from the event to set the filter for incoming events. Fill in the Event Field Rules section as appropriate.
    For example, if the filter requires a regex expression, double-click the dot-plus (.+) symbol placeholder and add the event field name. In the Event Match Fields section, double-click the event to confirm and customize this information.
  5. If necessary, add or delete extra event field names in the Event Match Fields section. Use the Event Compose Fields section to generate the output verbiage that appears on alerts for this type of event.
    Table 1. Event Rule form [Advanced view]
    Field Description
    Name The event rule name.
    Source Category to which this matching rule applies. The mapping rule only applies to events with the same event class value. If this value is empty, apply the rule to all events.
    Order Order in which an event rule is evaluated when multiple rules are defined for the same type of event. Event rules are evaluated in ascending order.
    Active A check box that activates or deactivates the event rule.

    When the rule is deactivated, Event Management finds and applies another event rule. An alert is still created for the event unless the Ignore check box is selected in another applicable rule.

    Filter Conditions that must be matched by the fields of events that this rule will apply to. Depending on the event field, the filter can match a string, pattern, or regular expression. For regular expressions, the dot-plus (.+) symbol is a placeholder for mapping the event field name. The same information appears in theEvent Match Fields section.
    Additional Filter An optional string or regular expression filter. For regular expressions, the dot-plus (.+) symbol is a placeholder for mapping the event field name. The same information appears in theEvent Match Fields section.
    Ignore Event section
    Ignore event Check box to ignore matching events and not create an alert.
    Transform section
    Transform A check box to enable event matching and updating event field values.
    CI type Pre-defined definition that resides in the CMDB that describes a category for hardware, software application, or web service. Available when the Transform check box is selected
    Event Match Fields section
    Field The field that the event rule searches for a matching value. This field can either be from the Event [em_event] table or a field defined by a name-value pair in the event Additional Information field. Available when the Transform check box is selected.
    Regular expression The string, match pattern, or regular expression that the event rule uses to identify matching event values. Each dot-plus (.+) symbol requires a comma-separated value in the Mapping field. For example, consider the sentence: Node localchost has dropped its average response time to 55 ms, which falls below the threshold.

    Enter the replacement event field names for localhost and the value 55 in the hostNameFromEvent and newAvgresponseTime Mapping fields, respectively. Examples of correct regex that match this expression are:

    • Node (.+) has dropped its average response time to (.+) ms .*
    • Node (.+) has dropped its average response time to (.+) ms which falls below the threshold
    The following is an example that is incorrect, as the final regex expression is missing:

    Node (.+) has dropped its average response time to (.+) ms

    Available when the Transform check box is selected.

    Mapping Each comma-separated event field name corresponds to a dot-plus (.+) symbol. For example, hostNameFromEvent, avgResponseTime, newAvgresponseTime, responseTimeThreshdold. This field appears when the Transform check box is selected. Note: Only use unmapped as a variable or field name when the mapping used is not actual mapping.
    Event Compose Fields section
    Field The field that the event rule inserts or updates. This field can either be from the Event [em_event] table or a field defined by a name-value pair in the Additional Information field of the event. This field appears when the Transform check box is selected.
    Composition The value to insert or update into the alert and bind to the CI on an incoming event. This value can use dynamic data from the Event [em_event] table or a field defined by a name-value pair in the Additional Information field of the event. Specify dynamic data with the following format: ${field}. This field appears when the Transform check box is selected.
    Threshold section
    Threshold Check box to configure the generation of alerts for rapidly recurring events.
    Threshold Check box to configure the generation of alerts for rapidly recurring events.
    Threshold Metric Threshold name from the event. For example, cpu. Available when the Threshold check box is selected.
    Create Alert Operator The required value for the Threshold Metric field. A count or relational operator for creating an alert. Options include Count, >, >=, < >=, =, and !=. If the criteria matches, generate an alert. For example if the ThresholdMetric is cpu and Count is 5, generate a threshold alert after five events that contain cpu. This field appears when the Threshold check box is selected.
    Star (*)

    (for Create Alert Operator)

    A numeric value. This field appears when a relational operator is selected from the Create Alert Operator list.
    Occurs

    (for Create Alert Operator)

    Number of times that the event must occur with the Threshold Metric and Create Alert Operator values to generate the alert. This field appears when the Threshold check box is selected.
    Over (seconds)

    (for Create Alert Operator)

    Number of seconds in which the event Threshold Metric and corresponding fields must occur to open the alert. The value 0 specifies an infinite time frame and can be used to exclude time from this threshold. This field appears when the Threshold check box is selected.
    Close Alert Operator Count or relational operator to define the threshold that must be met for closing an existing alert. Options include --None--, Idle, >, >=, < >=, =, and !=. If the criteria matches, the threshold alert is generated. For example, if the number of events that match other criteria = 5, generate an alert. This field appears when the Threshold check box is selected.
    Over (seconds)

    (for Close Alert Operator)

    The number of seconds in which the event threshold metric must occur to close the alert. The value 0 specifies an infinite time frame and can be used to exclude time from this threshold. This field appears when the Threshold check box is selected.
    Star (*)

    (for Close Alert Operator)

    A numeric value. This field appears when a relational operator is selected from the Close Alert Operator list.
  6. Click Submit.