Help with Event Field Mapping

stevemacamway · ‎05-09-2018

I'm receiving events from the Dynatrace SaaS monitoring tool, and am having trouble mapping the severity from an Additional Info field to the Alert severity field.

Event Received

Here is the JSON I am receiving:

{ 
 "source":"DynatraceSaaS",
 "event_class":"PreProd",
 "message_key":"-8448799258834331507",
 "type":"increase",
 "resource":"INFRASTRUCTURE",
 "severity":2,
 "description":"Slow disk",
 "additional_info":"{'ProblemTitle':'Slow disk','ProblemID':'507','ProblemSeverity':'ERROR','ImpactedEntity':'low disk on Host uslxp6709a.intranet.local','ProblemURL':'https://abc151456.live.dynatrace.com/#problems/problemdetails;pid=-8448799258834331507','dt_severity':'OPEN','dt_Tags':'CI_ID:9f401c34db915fc4571a3a92ba961908, Role:Application Server, Country:Corp, Application:MAGIC Bonus, AppEnvironment:Theta, Region:Global'}"
}

The "additional_info" is being parsed out to the following (as shown in the related Alert):

{
 "ProblemTitle":"Slow disk",
 "ProblemID":"507",
 "ProblemSeverity":"ERROR",
 "ImpactedEntity":"low disk on Host uslxp6709a.intranet.local",
 "ProblemURL":"https://abc151456.live.dynatrace.com/#problems/problemdetails;pid=-8448799258834331507",
 "dt_severity":"OPEN",
 "dt_Tags":"CI_ID:9f401c34db915fc4571a3a92ba961908, Role:Application Server, Country:Corp, Application:MAGIC Bonus, AppEnvironment:Theta, Region:Global"
}

I also have the following for an Event Field Mapping entry:

Event Field Mapping

Name: Corp.DynatraceSaaS.Severity
Source: DynatraceSaaS
Order: 100
Mapping type: Single Field
From field: dt_severity
To field: Severity

Event Mapping Pairs

Key --> Value
OPEN --> 3
MERGED --> 3
RESOLVED --> 0

Event Rule

Name: Corp.DynatraceSaaS
Source: DynatraceSaaS
Order: 99
Event Filter:
dt_Tags : contains : CI_ID:
ProblemSeverity: is not : CUSTOM_ALERT

Result

With the setup above, I would expect that the Alert would be created with a Severity of 'Minor' (3). What I get is an Alert with a Severity of 'Major' (2).

If I try the same thing, without the 'severity' field (in the main body of the JSON), the State of the Event goes to "Error". There is an entry in the System Log of Level Error:

(69)com.glideapp.itom.snac.processor.EvtMgmtEventProcessor - Event [] severity: Invalid value
: no thrown error

This confuses me, because I know we have other Events coming in (albeit via snmp) that do not throw this error.

So, any help anyone can give me, I would really appreciate!

Thanks,

Steve

arielgritti · ‎05-10-2018

Hello

"With the setup above, I would expect that the Alert would be created with a Severity of 'Minor' (3). What I get is an Alert with a Severity of 'Major' (2)" -> If the incoming event has value in the field severity informed then the alert is created with that value, in your case is severity = 2 then a Major alert was created. That is correct and OOTB behavior

"If I try the same thing, without the 'severity' field (in the main body of the JSON), the State of the Event goes to "Error". There is an entry in the System Log of Level Error: " -> If an event don't have a "severity" value it's not processed and goes to error state. OOTB behavior.

The event field mapping looks ok, maybe you can try with the order. Try with 10

I hope my answer has been useful

Ariel

PS: Please mark my answer correct or helpful if I have helped you. Thanks

Liju John1 · ‎06-12-2018

I'm getting the same error even if I added the numbers 1/2/3/4.

(70)com.glideapp.itom.snac.processor.EvtMgmtEventProcessor - Event [] severity: Invalid value
: no thrown error

It was not setting the severity to 1 - Critical / 2- Major ...

stevemacamway · ‎06-12-2018

I'm not sure why, but it appears that you are not getting the value into the severity field of the event for some reason. I can see it in the Description field of the event, but not the Severity. Is there any way you can capture the actual json that is sent to ServiceNow?

RichG · ‎07-23-2019

Hi Steve

I seem to be trailing behind you by about a year and keep facing similar problems!

Did you manage to resolve this?

Many thanks

Richard