Populate custom alert fields

You can populate custom alert fields with data contained in Additional information field of the event.

Valuable data contained in Additional information fields of events can be useful, for example, for reporting. Alert fields are automatically populated from fields that have the same name in the event. This behavior holds true for Additional information event fields and for Additional information fields that Event Rule adds. Therefore, to populate a custom alert field with the value in Additional information fields, use the custom field name in the Additional information field. You can also use Event Rules for this purpose. Values in the Additional information field of an Event that are not in JSON key/value format are normalized to JSON format when the event is processed.

The short description field of an alert is automatically written using the type, node, and description of the alert. To prevent the short description field from being over-written, open the sys_properties table, locate the evt_mgmt.override_alert_short_description property, change the value to false, and then click Update.

Depending on permissions, you may only be able to create fields with the user_ prefix. If so, use Event Rules to create an Additional information field with the same name. To prevent some fields to be copied to the alert field, use the evt_mgmt.alert_black_list_fields property and add the field names that must be excluded. By default, the fields that are not copied are:
  • message_key
  • category
  • additional_info
  • sys_updated_on
  • sys_updated_by
  • sys_created_by
  • sys_created_on
  • sys_mod_count
  • sys_id