Help with Event Field Mapping
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2018 10:27 AM
I'm receiving events from the Dynatrace SaaS monitoring tool, and am having trouble mapping the severity from an Additional Info field to the Alert severity field.
Event Received
Here is the JSON I am receiving:
{
"source":"DynatraceSaaS",
"event_class":"PreProd",
"message_key":"-8448799258834331507",
"type":"increase",
"resource":"INFRASTRUCTURE",
"severity":2,
"description":"Slow disk",
"additional_info":"{'ProblemTitle':'Slow disk','ProblemID':'507','ProblemSeverity':'ERROR','ImpactedEntity':'low disk on Host uslxp6709a.intranet.local','ProblemURL':'https://abc151456.live.dynatrace.com/#problems/problemdetails;pid=-8448799258834331507','dt_severity':'OPEN','dt_Tags':'CI_ID:9f401c34db915fc4571a3a92ba961908, Role:Application Server, Country:Corp, Application:MAGIC Bonus, AppEnvironment:Theta, Region:Global'}"
}
The "additional_info" is being parsed out to the following (as shown in the related Alert):
{
"ProblemTitle":"Slow disk",
"ProblemID":"507",
"ProblemSeverity":"ERROR",
"ImpactedEntity":"low disk on Host uslxp6709a.intranet.local",
"ProblemURL":"https://abc151456.live.dynatrace.com/#problems/problemdetails;pid=-8448799258834331507",
"dt_severity":"OPEN",
"dt_Tags":"CI_ID:9f401c34db915fc4571a3a92ba961908, Role:Application Server, Country:Corp, Application:MAGIC Bonus, AppEnvironment:Theta, Region:Global"
}
I also have the following for an Event Field Mapping entry:
Event Field Mapping
Name: Corp.DynatraceSaaS.Severity
Source: DynatraceSaaS
Order: 100
Mapping type: Single Field
From field: dt_severity
To field: Severity
Event Mapping Pairs
Key --> Value
OPEN --> 3
MERGED --> 3
RESOLVED --> 0
Event Rule
Name: Corp.DynatraceSaaS
Source: DynatraceSaaS
Order: 99
Event Filter:
dt_Tags : contains : CI_ID:
ProblemSeverity: is not : CUSTOM_ALERT
Result
With the setup above, I would expect that the Alert would be created with a Severity of 'Minor' (3). What I get is an Alert with a Severity of 'Major' (2).
If I try the same thing, without the 'severity' field (in the main body of the JSON), the State of the Event goes to "Error". There is an entry in the System Log of Level Error:
(69)com.glideapp.itom.snac.processor.EvtMgmtEventProcessor - Event [] severity: Invalid value
: no thrown error
This confuses me, because I know we have other Events coming in (albeit via snmp) that do not throw this error.
So, any help anyone can give me, I would really appreciate!
Thanks,
Steve
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2019 03:53 PM
I have been seeing the same behavior using REST API to insert the row. If I have anything other than 0-5 in this I get an error but it save the record with an empty (-None-) value.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2019 10:36 AM
Hi Mike
I managed to find this article which was really useful and helped me get over this issue as well as helping resolve other things:
Become Awesome with Event Rules https://community.servicenow.com/community?id=community_blog&sys_id=6f8caae1dbd0dbc01dcaf3231f961914
There were a few other nuances that I worked through and if the article doesn't completely help, I might be able to recall when back in the office.
The one thing I seemed to have to accept was that the mapping only changed what went into the alert but not the event so it was best to leave the 'severity' field out of the webhook payload coming into the API so that the event severity was just set to 'none', rather than misalign the alert and event severity values. Instead, I included a 'source_severity' value in the 'additional_info' containing the severity of the monitoring tool and mapped this to the alert 'severity' field in event mapping.
Hopefully this helps?
Let me know if you need more help.
