I have found that this occurs when an event matches the filter but does not match the intended result for the field parsing in the transform section.

If the field you are using to extract the value from does not meet the criteria of your regex for parsing then you will get <<UNKNOWN>> placed into the variable.

Can you provide your rule information and the event details that incorrectly produced the <<UNKNOWN>> result?

Hi SB,

As per best practice - please do NOT extend the em_event table. The new u_business_unit field should be added to Alert if its really needed there.  What is your exact use case?  What are you trying to solve?

Thanks,

-Ryan

Ryan you are correct. I would strongly discourage the creation of a new field in the Event Table and use the Additional Information in the Alert or extend the Alert table to include the new field.

As for the <<UNKNOWN>> result, my previous explanation is most likely the cause. If a calculated Expression in an Event rule is unable to correctly identify the value based on a regex that does not find the intended string within the field, it will populate that Expression with <<UNKNOWN>>.

Example:

Event rule used to create the regex contained in the description

"This hostname should be placed in the node field"

The regex is coded to pull the "hostname" from the description field as follows:

This (.*) should be placed in the node field

This would result in the value passed between This and should to be placed in an Expression that can be used in any field in the alert.

If the description changed and was passed to the Event as:

"A New host hostname should be placed in the node field"

The regex would fail to match the string and populate the Expression with <<UNKNOWN>>

This is a very basic example but the premise is the same. If an Event rule has a filter to execute on specific events and the regex is specific to a format of a Field and that format is different on an inbound event, then <<UNKNOWN>> will be the result.