How to use dynamic fields in Event Transform Rules / Incident Templates?

steve_bothin
Kilo Explorer

‎04-22-2015 01:15 PM

Hello Community,

I'd like to use Event Transform Rules to get out of the Additional Information field "additional_info" of an event (received via MID Server - SNMP Trap Collector) different seperate values using regular expressions.

Based on wiki http://wiki.servicenow.com/index.php?title=Configuring_Event_Management#Processing_Events_with_Event...

I know that I can use such dyn. attributes by ${myfield}.

field                                                 regexpr                   mapping

---------------------------------------------------------------

additional_info                   abc(.*)def         myfield

I also know that those attributes are not stored in event table, but how I can use them in my Incident Template for e.g. creating a custom incident description?

Addressing them by ${myfield} will not work. Also I miss some error output.
Is there a way to enable somehow debug mode and access any logging?

Thanks for any hints.

Regards,

Steve

Labels:
0 Helpfuls
  • 2,731 Views
6 REPLIES 6

Tony Branton
ServiceNow Employee
ServiceNow Employee

‎05-26-2015 08:57 AM

Hi Steve,



You use the Event Compose section of the event transform rule to set field values for an event that would then end up in an Alert.   An important point to note is that the Event Match section is intended to match events received by ServiceNow.   You define the matching criteria to identify the events to be processed by the transform rule.   For some match criteria, you can map the value to a field variable that can then be referenced in the Event Compose section of the transform rule.



Assuming your Event Match section correctly matched an event, in the Event Compose section, you'd enter a description field in with the Composition set to ${myfield}.   When the transform rule processed an event, the description field will be set to the contents of ${myfield}.   Be sure to set the severity field to an appropriate value, particularly if you want the resulting alert to trigger the creation of an Incident.



The next step requires an Alert Rule to be configured, triggered by an Alert meeting specific criteria (e.g. source=<Your_SNMP_event_source> & severity=Critical & maintenance=false).   You then select an Incident Template for the Alert Rule to use (you may want to create your own, setting Incident fields to specific values) and save the Alert Rule.



At this point, provided your transform rule is processing events correctly and an event is received leading to an Alert meeting the trigger condition in the Alert Rule, an Incident will be automatically created.



Hope this helps.


0 Helpfuls

cbester
Tera Contributor

‎06-05-2015 05:15 AM

Were you able to find a way to extract the information from the additional information field?


0 Helpfuls

Tony Branton
ServiceNow Employee
ServiceNow Employee
In response to cbester

‎06-10-2015 04:16 AM

Hi Colleen,



You use the Event Compose section in the Event Transform rules to extract values from the Additional Information field.   The pre-requisite is that data in the Additional Information field is paired and in JSON format, e.g.:



"{


    attribute1 : 10;


    attribute2 : 20;


    attribute3 : 30;


}"



In the Event Compose section you'd set a field e.g. "resource" to ${attribute1} and that would populate the resource field with "10" when the Event Transform rule executed.



Hope this makes sense.


0 Helpfuls

flash0222
Tera Contributor
In response to Tony Branton

‎08-21-2015 10:46 AM

Hi, I've run into the same thing, but need to go one step further.


I'm parsing a log file, and sending the log entries in via an snmp trap. Inside the Additional information is tons of data, but it's all stored in one "key / value" pair. How do I break it up further to extract the node, resource, severity, etc.?



Here's an example: (a snjppet from my Additional information field:



"int_ev_type" : "SNMP",


  "iso.org.dod.internet.private.enterprises.27002.1.1" : "MQMHLP001,VCC_POST LogWatcher.( Please check IR360alertAA.log ) is in Critical status. Message=( 2015-04-21T20:22:01 - Queue Alert 'AMR_SHAREDMQ_PHS_STAGE_QUE_MQL_1000_WARN' Fired for Queue Manager 'ESMQSS08_09_07 - EAMQSC1' Object 'CTS.DPR.S.ELF.ELFRAME.01' Condit,LogWatcher.( Please check IR360alertAA.log ) is in Critical status. Message=( 2015-04-21T20:22:01 - Queue Alert 'AMR_SHAREDMQ_PHS_STAGE_QUE_MQL_1000_WARN' Fired for Queue Manager 'ESMQSS08_09_07 - EAMQSC1' Object 'CTS.DPR.S.ELF.ELFRAME.01' Condit,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n",


  "peer_address" : "10.16.191.250",



I want to strip out things from the iso.org.dod.internet.private.enterprises line like MQMHLP001 (Node), Critical (Severity), LogWatcher (Resource), etc



Can I do this with Transform or Mapping rules?



Thanks


Brad


0 Helpfuls