Create an event rule in advanced view

Use the advanced view to create an event rule with regular expressions (regex). Event rules use the fields from the event to generate alerts.

Before you begin

Role required: evt_mgmt_admin or evt_mgmt_operator

About this task

You can create rules that:
  • Ignore events that match the specified criteria.
  • Transform information in events to populate specified alert field values.
  • Configure threshold rules that create alerts only when the incoming matching events pass over the specified threshold.
  • Bind alerts to CIs using CI identifiers.
After you add advanced mapping information to the event rule, it may not be viewable from the simple view. For example, the simple view cannot open an event rule that contains regex patterns, such as, \b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b. An error message reminds you that the rule cannot be viewed in simple mode.
Options to create the rule are:
  • Create an empty event rule and assign event fields for alert generation.
  • Create a rule from an existing event or groups of events that do not have a rule, so the event fields are copied to the Event Match Fields section of the rule.

You can learn about transform, compose, and binding from the following video.

Note: Event rules that are not configured to perform any action are skipped. Therefore, if the rule is not configured as ignore, threshold, or binding, it is important to specify either the match or the compose fields.

Procedure

  1. Navigate to Event Management > Rules > Event Rules.
  2. Do one of the following:
    OptionDescription
    Create a new event rule Click New.
    Create an event rule from an existing event
    1. Near the top of the form, click the link for events or grouped events that are not mapped to rules.
      Example wording of the link: "You have 4 Events and 2 grouped events that are not mapped to rules."
    2. Select the event that you want to use for creating the rule.

      The event fields are copied to the Event Field Rules section of the rule.

    3. Click Go to advanced mode.
  3. Fill in the Name, Source, and Order fields.
  4. (Optional) Use the fields from the event to set the filter for incoming events. Fill in the Event Field Rules section as appropriate.
    For example, if the filter requires a regex expression, double-click the dot-plus (.+) symbol placeholder and add the event field name. In the Event Match Fields section, double-click the event to confirm and customize this information.
  5. If necessary, add or delete extra event field names in the Event Match Fields section. Use the Event Compose Fields section to generate the output verbiage that appears on alerts for this type of event.
    Table 1. Event Rule form [Advanced view]
    Field Description
    Name The event rule name.
    Source Category to which this matching rule applies. The mapping rule only applies to events with the same event class value. If this value is empty, apply the rule to all events.
    Order Order in which an event rule is evaluated when multiple rules are defined for the same type of event. Event rules are evaluated in ascending order.
    Active Select to activate or deactivate the event rule.

    When the rule is deactivated, Event Management finds and applies another event rule. An alert is still created for the event unless Ignore is selected in another applicable rule.

    Description Type additional information that describes the event rule.
    Filter Conditions that must be matched by the fields of events that this rule applies to. Depending on the event field, the filter can match a string, pattern, or regular expression. For regular expressions, the dot-plus (.+) symbol is a placeholder for mapping the event field name. The same information appears in the Event Match Fields section.
    Additional Info Filter An optional string or regular expression filter. For regular expressions, the dot-plus (.+) symbol is a placeholder for mapping the event field name. The same information appears in the Event Match Fields section.
    Ignore event Check box to ignore matching events and not create an alert.
    Transform
    Active Select to enable manipulation of information from events to populate specified alert field values.
    CI type binding (legacy) Select the binding criteria from the list.

    Available when Active is selected in the Transform section.

    Event Match Fields section
    Field The field that the event rule searches for a matching value. This field can either be from the Event [em_event] table or a field defined by a name-value pair in the event Additional Information field. Available when Active is selected in the Transform section.
    Regular expression The string, match pattern, or regular expression that the event rule uses to identify matching event values. Each dot-plus (.+) symbol requires a comma-separated value in the Mapping field. For example, consider the sentence: Node localchost has dropped its average response time to 55 ms, which falls below the threshold.

    Enter the replacement event field names for localhost and the value 55 in the hostNameFromEvent and newAvgresponseTime Mapping fields, respectively. Examples of correct regex that match this expression are:

    • Node (.+) has dropped its average response time to (.+) ms .*
    • Node (.+) has dropped its average response time to (.+) ms which falls below the threshold
    The following is an example that is incorrect, as the final regex expression is missing:

    Node (.+) has dropped its average response time to (.+) ms

    Available when the Transform check box is selected.

    Mapping Each comma-separated event field name corresponds to a dot-plus (.+) symbol. For example, hostNameFromEvent, avgResponseTime, newAvgresponseTime, responseTimeThreshdold. This field appears when Active is selected in the Transform section. Note: Only use unmapped as a variable or field name when the mapping used is not actual mapping.
    Event Compose Fields section
    Field The field that the event rule inserts or updates. This field can either be from the Event [em_event] table or a field defined by a name-value pair in the Additional Information field of the event. This field appears when Active is selected in the Transform section.
    Composition The value to insert or update into the alert and bind to the CI on an incoming event. This value can use dynamic data from the Event [em_event] table or a field defined by a name-value pair in the Additional Information field of the event. Specify dynamic data with the following format: ${field}. This field appears when Active is selected in the Transform section.
    Threshold
    Active Check box to configure the generation of alerts for rapidly recurring events. Create alerts only when the incoming matching events pass over the specified threshold
    Threshold metric Threshold name from the event. For example, cpu. Available when Active is selected in the Threshold section.
    Create Alert Operator Specify a count or relational operator for creating an alert. Options include Count, >, >=, < >=, =, and !=. If the criteria matches, generate an alert. For example, if the ThresholdMetric is cpu and Count is 5, generate a threshold alert after five events that contain cpu. This field appears when Active is selected in the Threshold section.
    Star (*)

    (for Create Alert Operator)

    A numeric value. This field appears when a relational operator is selected from the Create Alert Operator list.
    Occurs

    (for Create Alert Operator)

    Number of times that the event must occur with the Threshold metric and Create Alert Operator values to generate the alert. This field appears when Active is selected in the Threshold section.
    Over (seconds)

    (for Create Alert Operator)

    Number of seconds in which the event Threshold Metric and corresponding fields must occur to open the alert. The value 0 specifies an infinite time frame and can be used to exclude time from this threshold. This field appears when Active is selected in the Threshold section.
    Close Alert Operator Count or relational operator to define the threshold that must be met for closing an existing alert. Options include --None--, Idle, >, >=, < >=, =, and !=. If the criteria matches, the threshold alert is generated. For example, if the number of events that match other criteria = 5, generate an alert. This field appears when Active is selected in the Threshold section.
    (*) Value

    (for Close Alert Operator)

    Specify a numeric value. This field appears when a relational operator is selected from the Close Alert Operator list.
    Occurs

    (for Close Alert Operator)

    Number of times that the event must occur with the Threshold metric and Close Alert Operator values to generate the alert. This field appears when the Active check box is selected in the Threshold section.
    Over (seconds)

    (for Close Alert Operator)

    The number of seconds in which the event threshold metric must occur to close the alert. The value 0 specifies an infinite time frame and can be used to exclude time from this threshold. This field appears when Active is selected in the Threshold section.
    Bind
    Active Select this option to bind alerts to CIs using CI identifiers.
    CI type Pre-defined definition that resides in the CMDB that describes a category for hardware, software application, or web service. This field appears when Active is selected in the Bind section. See the example.
    Event field First specify a value for the CI identifier attribute and then specify the value for this field, which is the value that the event rule searches for a match. Valid values for this field depend on the selection in the CI identifier attribute field. In addition, you can specify field names that were defined in the Transform section.
    CI identifier attribute Select the identifier attribute from the list. This field appears according to the selection in the CI type field. The values in this field are derived from the attributes specified in the CI Identifiers form. To see this form, navigate to Configuration > Identification/Reconciliation > CI Identifiers. In the Identifiers list, search for the required CI name.
    Container Level 1 Select the container type from the list. This field appears according to the selection in the CI type field.
    Note: The number of containers levels that appear depend on how many parameters must be specified to identify the CI. For example, if Oracle iAS web module is selected as the CI type, then a server must be specified for Container Level 1 and hardware must be specified for Container Level 2.
    To see the definition, navigate to Configuration > Identification/Reconciliation > Metadata Rules Editor.
    Note: In the case of hardware (for example, cmdb_ci_hardware), if no value is specified in the Event field and the CI identifier attribute fields, then the node value from the event is used as a basis to search for CI hardware values to populate these fields.
    Figure 1. Example - event rule binding
    Event rule binding properties
  6. Click Submit.

Result

The settings and values are validated. If the validation is successful, the Event Rule list displays. Otherwise, an error message displays, indicating where to find information to complete the configuration. For example, if PostgreSQL DB [cmdb_ci_endpoint_postgresql] is specified for the CI type and insufficient attributes were specified, then a message, similar to the following, displays.
Missing information for the CI type: cmdb_ci_endpoint_postgresql. For more details, use the
      CI rule: PostgreSQL DB
In this case, in the message, click the PostgreSQL DB link. The Identifier displays, showing that the criterion attributes are port,ip_address,host,instance,host_name.