I am working on Event Rules for Splunk integration and need clarification on the exact binding sequence when "Override default binding" is enabled CI field matching.
My Configuration:
- Event Rule with "Override default binding" checked
- Binding Type: "CI Field matching"
- CI Type: Database Instance
What I am observing:
In some events, the system successfully binds Alert to Database Instance CIs using the name field from Additional Information. In others, it falls back to binding to the node (Server CI) even when a Database Instance CI with the matching name exists.
My understanding of the sequence:
First, attempt to match the node with a CI Name in the DB Instance table.
If no match is found, try matching the node against Computer, OS, or Switch/Router CI types.
If still no match, attempt to match the Additional Info payload with a CI Name in the DB Instance table.
If no match is found, try matching the payload against Computer, OS, or Switch/Router CI types.
If none of the above steps produce a match, no CI is added to the alert.
Specific Question:
Is my understanding of binding sequence correct?
What could be the cause for this inconsistency?
below are event rule screenshots:
