Event management Event rule

priceless · ‎04-25-2022

Hi Team

Need your inputs/help on event rule writing for a multiple line text from description field. Actually from MS Az we are only receiving description in event table. How can we parse and get values to event's multiple attributes like node etc ..

Vendor says from multiple line text field (description) regex wont work in event rule to pick Node etc values but it will work if its single line. But we need other values also in description field.

Please suggest possible solution to overcome this issue.

Description looks like below:

Alert : Fired:Sev2 Azure Monitor Alert VM CPU Utilization Exceeded 75 on SERVERXX
version : 2.0
properties :
status : Activated
context : {
"timestamp": "2022-04-25T13:26:24.4145113Z",
"id": "/subscriptions/xxxxxxxxxxxx06-abcd/resourceGroups/abcdfgp01/providers/microsoft.insights/metricalerts/VM CPU Utilization Exceeded 75",
"name": "VM CPU Utilization Exceeded 75",
"description": "VM CPU Utilization Exceeded 75",
"conditionType": "MultipleResourceMultipleMetricCriteria",
"severity": "2",
"condition": {
"windowSize": "P",
"allOf": [
{
"metricName": "Percentage CPU",
"metricNamespace": "Microsoft.Compute/virtualMachines",
"operator": "GreaterThan",
"threshold": "75",

Regards

Rash

Rahul Priyadars · ‎04-25-2022

How AZURE is posting this data into EM_EVENT Table?

Parsing inside event rule is going to be more complex that parsing it before hand. I can think of Using a Before Inert Business rule on em_event table to Parse and Push into Corresponding Columns.

Just a wild idea but you may give a try.

Regards

RP

Ryan Zulli · ‎04-29-2022

Hi Rash,

I would like to politely disagree with Rahul (as we know he is very knowledgable) on this case - as we do NOT suggest executing any business rules against the em_event table.

Further the advice your vendor gave you is also incorrect as we are able to parse out multiline descriptions using regex - its just not pretty. In your example above I created an event using that description and was able to write a rule to parse out Version and Status, placing their values in the Type and Resource fields ::

with multiline you'll need to take into account each line (from my experience), if you can request a consistent payload then this should work using very few rules ::

and the Alert ::

Hope this helps.

Thanks,

-Ryan

Rahul Priyadars · ‎04-29-2022

+1 awesome.

priceless · ‎07-10-2023

Forgot to mention that this issue was resolved by doing Webhook integration with Azure and then Push connector script and Event rules. After that we were able to receive Azure resource group configuration details etc in Event table properly. But we need to also coordinate with Azure team so that can understand to configure resource group and send events to ServiceNow. Our case resoved end-2-end.