Populate custom alert fields

You can populate custom alert fields with data contained in Additional information field of the event.

Valuable data contained in Additional information fields of events can be useful, for example, for reporting. Alert fields are automatically populated from fields that have the same name in the event. This behavior holds true for Additional information event fields and for Additional information fields that Event Rules adds. Therefore, to populate a custom alert field with the value in Additional information fields, use the custom field name in the Additional information field. You can also use Event Rules for this purpose. Values in the Additional information field of an Event that are not in JSON key/value format are normalized to JSON format when the event is processed.

Depending on permissions, you may only be able to create fields with the user_ prefix. If so, use Event Rules to create an Additional information field with the same name. To prevent some fields to be copied to the alert field, use the evt_mgmt.alert_black_list_fields property and add the field names that must be excluded. By default, the fields that are not copied are:
  • message_key
  • category
  • additional_info
  • sys_updated_on
  • sys_updated_by
  • sys_created_by
  • sys_created_on
  • sys_mod_count
  • sys_id