Event management - Multiple Event Transform Rules

chrisoakey
Kilo Contributor

‎10-19-2015 06:11 AM

I can't find it documented anywhere, but it seems as though once you find a match for an event transform rule, it gets executed and then no more transform rules (even if they do match) are executed.   Is this the case?   If so, is there a way round it?

I'm integrating with SCOM and have a number of transform rules (all with order = 100) that set the alert severity depending on the event's SCOM Severity and Priority.   This works well, but if I define an extra transform rule (with a higher Order number of 110) that matches on the node, it doesn't seem to execute.   If I change the order from 110 to a lower number (say 90), it executes, but the others (with Order = 100) do not.

Labels:
0 Helpfuls
  • 1,880 Views
6 REPLIES 6

Brad Tilton
ServiceNow Employee
ServiceNow Employee

‎10-19-2015 06:43 AM

Are you using events or is this a scheduled transform? If you have multiple transform maps associated with a data source you should be able to have them all run in order.


0 Helpfuls

chrisoakey
Kilo Contributor
In response to Brad Tilton

‎10-20-2015 05:53 AM

Thanks for your answer Brad.   I'm using the Event Management plugin. Events are coming in from SCOM.   Event Management has a list of "Event Transform Rules" that can transform the values in an Event during the process of creating an Alert. You can define any number of these Event Transform Rules, but what I'm seeing makes me think that as soon as a match is found and an Event Transform Rule is applied, then no further matching is done to see if any of the other Event Transform Rules also match.   I need to do several transforms and so this is causing me a problem.


0 Helpfuls

briancrosby
ServiceNow Employee
ServiceNow Employee
In response to chrisoakey

‎10-28-2015 10:10 AM

Chris



I am sure there is a reason, but there is a OOTB Event Management Integration with SCOM. Is there a reason you aren't attempting to use that?


Microsoft System Center Operations Manager SCOM Integration - ServiceNow Wiki


0 Helpfuls

Tony Branton
ServiceNow Employee
ServiceNow Employee

‎06-02-2016 07:16 PM

That's the correct behaviour - only one matching Event Rule is applied.  



If I understand your use case correctly, you're wanting to set the alert severity based on information in the SCOM event.   You may be able to get part-way there with regex depending on whether you can match specific text.   You may then be able to use regex to replace the matching text and map that to an event field i.e. severity.



If you still have this problem forward me some examples of the SCOM data for me to look at.


0 Helpfuls