Create an event rule in simple view

Use the simple view to create an event rule without complex regular expressions.

Before you begin

Role required: evt_mgmt_admin or evt_mgmt_operator

About this task

Options to create an event rule in simple view are:
  • Create an empty event rule and assign event fields for alert generation.
  • Create a rule from an existing event or groups of events that do not have a rule. The event fields are copied to the Event Field Rules section of the rule.

This video explains the use of event rules.

Procedure

  1. Navigate to Event Management > Rules > Event Rules.
  2. Do one of the following:
    OptionDescription
    Create an event rule
    1. Click New.
    2. Type a name for the rule.
    3. Right-click the form header and click Save.
    4. Click Go to simple mode.
    Create an event rule from an existing event and or group of events
    1. Click the link for events or grouped events that are not mapped to rules.
      Example wording of the link: "You have 4 Events and 2 grouped events that are not mapped to rules.
    2. Click the event that you want to use for creating the rule.

      The event fields are copied to the Event Field Rules section of the rule.

  3. Fill in or edit the fields, as appropriate. For example, use the Event Compose Fields section to map event data to alert fields.
    Table 1. Event Rule form [Simple view]
    Field Description
    Name The event rule name.
    Active Check box to activate the event rule or event mapping rule.
    CI type Pre-defined definition that resides in the CMDB that describes a category for hardware, software application, or web service.
    Order Order in which an event rule is evaluated when multiple rules are defined for the same type of event. Event rules are evaluated in ascending order.
    Source Category to which this matching rule applies. The mapping rule only applies to events with the same event class value. If this value is empty, apply the rule to all events.
    Event Field Rules section
    Field An event field to use for generating an alert. This field can either be from the Event [em_event] table or a field defined by a name-value pair in the Additional Information field. Used with the Value field.
    Value The event value and any dot-plus (.+) symbols that represent event fields that can be updated.
    Event Compose Fields section
    Field A field to use for generating the alert message. The field from the Event [em_event] table or a field defined by a name-value pair in the Additional Information field. For example: message_key
    Composition For alert message generation. The text and relevant fields from the original event. For example: ${netObjectId}_${networkNodeId}_appUpDownEvent
    Ignore Event section
    Ignore event Check box to ignore matching events and not create an alert.
    Threshold section
    Threshold Check box to configure the generation of alerts for rapidly recurring events.
    Threshold Metric Threshold name from the event. For example, cpu. This field appears when the Threshold check box is selected.
    Create Alert Operator The required value for the Threshold Metric field. A count or relational operator for creating an alert. Options include Count, >, >=, < >=, =, and !=. If the criteria matches, generate an alert. For example if the ThresholdMetric is cpu and Count is 5, generate a threshold alert after five events that contain cpu. This field appears when the Threshold check box is selected.
    Star (*)

    (for Create Alert Operator)

    A numeric value. This field appears when a relational operator is selected from the Create Alert Operator list.
    Occurs

    (for Create Alert Operator)

    Number of times that the event must occur with the Threshold Metric and Create Alert Operator values to generate the alert. This field appears when the Threshold check box is selected.
    Over (seconds)

    (for Create Alert Operator)

    Number of seconds in which the event Threshold Metric and corresponding fields must occur to open the alert. The value 0 specifies an infinite time frame and can be used to exclude time from this threshold. This field appears when the Threshold check box is selected.
    Close Alert Operator Count or relational operator to define the threshold that must be met for closing an existing alert. Options include --None--, Idle, >, >=, < >=, =, and !=. If the criteria matches, the threshold alert is generated. For example, if the number of events that match other criteria = 5, generate an alert. This field appears when the Threshold check box is selected.
    Over (seconds)

    (for Close Alert Operator)

    The number of seconds in which the event threshold metric must occur to close the alert. The value 0 specifies an infinite time frame and can be used to exclude time from this threshold. This field appears when the Threshold check box is selected.
    Star (*)

    (for Close Alert Operator)

    A numeric value. This field appears when a relational operator is selected from the Close Alert Operator list.
  4. Double-click any highlighted value to select event fields and CI attributes.
    For example, in the Event Field Rules section, double-click any dot-plus (.+) symbols and type the event field CI attribute name.
    Double-click a highlighted value
  5. Click Submit.