Create event field mappings

Use event field mappings to provide more comprehensive information in an event alert by substituting values from the event field mapping rule into the event.

Before you begin

Role required: evt_mgmt_admin

About this task

Create the rule to match the event by its class and original values. Also specify the new values to replace the original values in the event.

Procedure

  1. Navigate to Event Management > Event Field Mapping.
  2. Click New or open an existing rule to edit.
  3. Fill in the fields, as appropriate.
    Table 1. Event Field Mapping form
    Field Description
    Name Event field mapping name.
    Source Event monitoring software that generated the event, such as SolarWinds or SCOM. This field has a maximum length of 100. It is formerly known as event_class.
    Mapping type Mapping mechanism that is used to change an event field value.
    • Constant: Mapping rule that transforms any value in the specified field to the new value provided. For example, a mapping rule could transform any value in the Node field to a hard-coded value such as Linux1.
    • Single field: Mapping rule that transforms specific values from one event field to another event field. For example, whenever the ciscoFlashCopyStatus mapping rule finds the specific value 8 in the ciscoFlashCopyStatus name-value pair, the mapping rules updates the field value to copyDeviceBusy.
    Active Check box that activates or deactivates the event field mapping. If possible, find and apply another event field mapping rule.
    From field Event field to replace.
    To field Event field where the mapping rule inserts or updates the value. When this field is identical to the From field, the mapping rule updates the value in memory of the event field.
    Value Value you want to use for the To field. This field appears when the Mapping Type is Constant.
    Key (Event Mapping Pairs section) Value that the mapping rule searches for. Whenever the event field has this value, the mapping rule adds the value listed in the Value field to the field listed in the To field. This field appears when the Mapping Type is Single field.
    Value (Event Mapping Pairs section) Value you want to insert or update into the To field. The mapping rule overwrites any existing value in the To field. This field appears when the Mapping Type is Single field.
  4. Click Submit.

Example

For example, see these values for a predefined rule that is applied to events in the Trap From Enterprise 9 class. If the events contain the snmpTrapOID element with a value of iso.org.dod.internet.private.enterprises.cisco.0.0, the mapping rule changes the value to reload in alerts. If the events contain the snmpTrapOID element a value of iso.org.dod.internet.private.enterprises.cisco.0.1, the mapping rule changes the value to tcpConnectionClose in alerts.
Field Values
Name cisco.snmpTrapOID
Source Trap From Enterprise 9
Mapping type Single field
From field snmpTrapOID
To field snmpTrapOID
Event Mapping Pairs
  • Pair 1
    • Key: iso.org.dod.internet.private.enterprises.cisco.0.0
    • Value: reload
  • Pair 2
    • Key: iso.org.dod.internet.private.enterprises.cisco.0.1
    • Value: tcpConnectionClose

What to do next

Test an event field mapping by sending an event that contains a field that is present in the event field mapping.