Event Field Mapping Not executed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-25-2017 03:41 AM
Hi Experts,
We need your help in fix the issue which am facing in event field mapping.
We wrote event rule and event filed mapping to process SNMP trap but the event field mapping is not executed after the event rules.
**********************************************************************************************
Sample SNMP trap:
Trap Source is 'Interface1'
{"sysUpTime":"0:00:06.00",
"int_ev_type":"SNMP",
"snmpTrapOID":"iso.org.dod.internet.private.enterprises.cisco.0.0",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.19":"1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.17":"Node1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.18":"Inteface1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.15":"5",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.16":"Indicates a fault within the Wide Area Network."
}
**********************************************************************************************
Event Rule:
Trap Source :Interface1
Additional Filter: iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.19=1
Setting the alert fields using varbinds 16, 17, 18, 19
**********************************************************************************************
Event Field Mapping:
Trap Source :Interface1
Mapping Type: Single Field
From Field: iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.15
To Field: Severity
Key <------------> Value
5 <------------> 1
4 <------------> 2
2 <------------> 4
1 <------------> 5
******************************************************************************************
Sample trap and work notes with no event rule matched but the event field mapping applied
Trap:
Trap Source is 'Interface1'
{"sysUpTime":"0:00:06.00",
"int_ev_type":"SNMP",
"snmpTrapOID":"iso.org.dod.internet.private.enterprises.cisco.0.0",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.19":"2",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.17":"Node1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.18":"Inteface1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.15":"5",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.16":"Indicates a fault within the Wide Area Network."
}
Work Notes:
2017-05-24 10:57:54 - SystemWork notes
Created new alert with state Open due to event
Mapping rule(s) applied: Netcool.snmpTrapOID, Netcool severity
***********************************************************************************
Sample trap and work notes with no event rule matched but the event field mapping applied
Trap:
Trap Source is 'Interface1'
{"sysUpTime":"0:00:06.00",
"int_ev_type":"SNMP",
"snmpTrapOID":"iso.org.dod.internet.private.enterprises.cisco.0.0",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.19":"1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.17":"Node1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.18":"Inteface1",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.15":"5",
"iso.org.dod.internet.private.enterprises.42767.64.1.1.3.1.16":"Indicates a fault within the Wide Area Network."
}
Work Notes:
2017-05-24 10:57:09 - SystemWork notes
Created new alert with state Open due to event: Indicates a fault within the Wide Area Network.
Event rule applied: Netcool lab alerts
***********************************************************************************
What we have observed is event field mapping isnot executed if the event rule match's the event.
but the event field mapping is applied is no event rule is matched for the event.
From your post we believe the event field mapping should execute after the event rules.
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-12-2017 05:58 AM
Hello Chandran!
I hope you are doing fine
Can you give more information on how this data comes into ServiceNow?
Is it through and inbound service?
Is there a transform map?
Are you trying to import data into a custom table or an existing one(does it extend a ServiceNow table)?
We had a similar task here in the office. The first thing that I notice is that our Event Field Mapping "To field" value is "severity" with lower "s". This is a long shot from my side, but it is worth the try
Hope I helped!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2017 02:04 AM
Alek,
We are getting alerts through the SNMP trap.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-25-2021 12:43 PM
Field Mapping Rules fire *after* the Event Rule, fwiw.
This means that if I have a field mapping to translate a value of '13' in a particular OID to the real world 'Printer' string, I won't be able to take advantage of that enhanced readability and will need to filter based on '13' in the Event Rule.
To me this is unfortunate, and I am wondering why they designed it this way.
In my case, I was changing the 'Source' column in the Event Rule from 'Enterprise Trap from 1167' or somesuch to 'AppName', and my field mapping rules were still looking for 'Enterprise Trap from 1167', and so did not fire after the Event Rule.
