Create or edit an event rule

You can create event rules to generate alerts for tracking and remediation.

Before you begin

Role required: evt_mgmt_admin or evt_mgmt_operator

About this task

You can view the list of available event rules on the event rule page.
You can create rules that:
  • Transform information in events to populate specified alert field values and compose alert fields from various values.
  • Configure threshold rules that create or close alerts only when the incoming matching events exceed the specified threshold.
  • Bind alerts to CIs using CI identifiers.
Options to create the rule are:
  • Create an event rule and assign event fields for alert generation.
  • Create a rule from an existing event or groups of events that do not have a rule. In this case, the event fields are copied to the Event Match Fields section of the rule.
  • Edit an existing event rule.
Note: Event rules that are not configured to perform any action are skipped. Therefore, if the rule is not configured as ignore, threshold, or binding, it is important to specify either the match or the compose fields.

Procedure

  1. Navigate to Event Management > Rules > Event Rules and take one of the following actions:
    OptionDescription
    Create an event rule from an existing event
    1. Click the link for unassociated events or grouped events that are not mapped to rules.
      Example wording of the link: "There are 2 recommended rules, created out of 7 unassociated events of the most recent 50000 events."
    2. Select the event that you want to use for creating the rule.

      The event fields are copied to the Event Field Rules section of the rule.

    Edit an existing event rule In the event rule list, click the required event rule to be modified.

    The event rule opens in the event rule designer where you can modify the values of the fields. If you cannot view the existing event rule in the event rule designer, click Save and Upgrade to modify the rule.

    Create an event rule Click New.
  2. Ensure that Active is selected. When the rule is deactivated, Event Management finds and applies another event rule. An alert is still created for the event unless Ignore is selected in another applicable rule or when configuring the filter for this event rule.
  3. Enter a unique and meaningful name and fill in the form.
    Table 1. Event Rule Info form
    Field Description
    Source Category to which this matching rule applies. The mapping rule only applies to events with the same event class value. If this value is empty, apply the rule to all events.
    Order Order in which an event rule is evaluated when multiple rules are defined for the same type of event. Event rules are evaluated in ascending order.
    Description Type additional information that describes the event rule.
  4. (Optional) Define the event rule using these Event Rule designer features:
    OptionDescription
    Event Filter Define a filter to restrict to which events the event rule must apply. See Filter event rules.
    Transform and compose alert output Configure the customization of alert content. See Configure an event rule to customize alert content.
    Threshold Create or close alerts according to the specified threshold. See Set a threshold to suppress alert generation.
    Binding Configure event rules automatically bind alerts to CI information from the CMDB. See Alert binding to CIs with event rules.
  5. Click Save, Submit, or Update.