Help with Event Listener Transform Script

John Shores1 · ‎01-28-2019

/* Disclaimer -- I'm a scripting noob, so be gentle. 😉 */

I have events coming into em_event from Logicmonitor via an Event Listner (https:// <instance>.service-now.com/api/global/em/jsonv2). The events are coming over, but not being mapped to the table very well. I started working on a transform script, but the mappings don’t really seem to be working at all. The JSON payload looks like this (it is well formed and ingests properly into em_event without the script):

{ "records":
  [
    {
    "source": "Logicmonitor",
    "event_class": "##AGENT_DESCRIPTION##",
    "node": "##HOST##",
    "resource": "##DataSource##",
    "metric_name": "##DPDESCRIPTION##",
    "type": "##ALERTTYPE##",
    "severity": "##LEVEL##",
    "time_of_event": "##DATE##",
    "description": "##MESSAGE##",
    "additional_info":"{
      'alertID': '##ALERTID##', 
      'alertStatus': '##ALERTSTATUS##',                                            
      'dataPoint': '##DATAPOINT##', 
      'dataSource': '##DataSource##', 
      'date': '##DATE##', 
      'dataSourceDescription': '##DSDESCRIPTION##', 
      'dataSourceInstanceDescription': '##DSIDESCRIPTION##', 
      'dataPointDescription': '##DPDESCRIPTION##', 
      'eventSource': '##EVENTSOURCE##', 
      'group': '##GROUP##',
      'host': '##HOST##', 
      'hostname': '##HOSTNAME##', 
      'hostDescription': '##HOSTDESCRIPTION##', 
      'deviceURL': '##DEVICEURL##', 
      'instance': '##INSTANCE##', 
      'instanceGroup': '##INSTANCEGROUP##', 
      'level': '##LEVEL##', 
      'start': '##START##', 
      'startEpoch': '##STARTEPOCH##',
      'duration': '##DURATION##', 
      'threshold': '##THRESHOLD##', 
      'value': '##VALUE##', 
      'agentID': '##AGENTID##', 
      'agentDescription': '##AGENT_DESCRIPTION##', 
      'backupAgentID': '##BACKUPAGENTID##',
      'backupAgentDescription': '##BACKUPAGENT_DESCRIPTION##',
      'externalTicketID': '##EXTERNALTICKETID##',
      'end': '##END##', 
      'website': '##WEBSITE##',
      'checkPoint': '##CHECKPOINT##',
      'detail': '##DETAIL##',
      'websiteDescription': '##WEBSITEDESCRIPTION##',
      'websiteGroup': '##WEBSITEGROUP##',
      'url': '##URL##',
      'websiteRequest': '##WEBSITEREQUEST##',
      'websiteResponse': '##WEBSITERESPONSE##',
      'eventCode': '##EVENTCODE##',
      'logFile': '##LOGFILE##',
      'sourceName': '##SOURCENAME##',
      'message': '##MESSAGE##',
      'alertType': '##ALERTTYPE##'
      }"
    }
  ]
}

The items enclosed by double hashtags are tokens within Logicmonitor.

I've created a listener transform script based off the Azure event script and changed the event listener to https://<instance>.service-now.com/api/global/em/inbound_event?source=logicmonitor. The script is:

(function process(/*RESTAPIRequest*/ request, body) {
  gs.info('inside em logicmonitor event processor, body: ' + body + ', headers: ' + 
  JSON.stringify(request.headers));
  var requestBody = JSON.parse(body);
  var extra_info = requestBody.additional_info;
  var resolutionState = 'New';                        
  var severity = "0";                             
  try
    {
    severity = requestBody.severity;
    if (severity == 'critical') {
      severity = '1';
      } else if(severity == "major") {
      severity = "2";
      } else if(severity == "minor") {
      severity = "3";
      } else if(severity == "warn") {
      severity = "4";
      } else if(severity == "info") {
      severity = "5";
      } else if(severity == "ok") {
      severity = "0";
      resolutionState = 'Closing';
    }
             
    //Create the new event record
    var gr = new GlideRecord('em_event');
    gr.initialize();
                                
    // Prepare additional_info JSON                
    var additional_info = JSON.parse(JSON.stringify(requestBody.additional_info));                   
    additional_info['alertID'] = extra_info.alertID;
    additional_info['alertStatus'] = extra_info.alertStatus;
    additional_info['dataPoint'] = extra_info.dataPoint;
    additional_info['dataSource'] = extra_info.dataSource;
    additional_info['date'] = extra_info.date;
    additional_info['dataSourceDescription'] = extra_info.dataSourceDescription;
    additional_info['dataSourceInstanceDescription'] = extra_info.dataSourceInstanceDescription;
    additional_info['dataPointDescription'] = extra_info.dataPointDescription;
    additional_info['group'] = extra_info.group;
    additional_info['host'] = extra_info.host;
    additional_info['hostName'] = extra_info.hostName;
    additional_info['hostDescription'] = extra_info.hostDescription;
    additional_info['deviceURL'] = extra_info.deviceURL;
    additional_info['instance'] = extra_info.instance;
    additional_info['instanceGroup'] = extra_info.instanceGroup;
    additional_info['level'] = extra_info.level;
    additional_info['start'] = extra_info.start;
    additional_info['startEpoch'] = extra_info.startEpoch;
    additional_info['duration'] = extra_info.duration;
    additional_info['threshold'] = extra_info.threshold;
    additional_info['value'] = extra_info.value;
    additional_info['agentID'] = extra_info.agentID;
    additional_info['agentDescription'] = extra_info.agentDescription;
    additional_info['backupAgentID'] = extra_info.backupAgentID;
    additional_info['backupAgentDescription'] = extra_info.backupAgentDescription;
    additional_info['externalTicketID'] = extra_info.externalTicketID;
    additional_info['end'] = extra_info.end;
    additional_info['website'] = extra_info.website;
    additional_info['checkPoint'] = extra_info.checkPoint;
    additional_info['detail'] = extra_info.detail;
    additional_info['websiteDescription'] = extra_info.websiteDescription;
    additional_info['websiteGroup'] = extra_info.websiteGroup;
    additional_info['url'] = extra_info.url;
    additional_info['websiteRequest'] = extra_info.websiteRequest;
    additional_info['websiteResponse'] = extra_info.websiteResponse;
    additional_info['eventCode'] = extra_info.eventCode;
    additional_info['logFile'] = extra_info.logFile;
    additional_info['sourceName'] = extra_info.sourceName;
    additional_info['alertType'] = extra_info.alertType;                          

    gr.additional_info = JSON.stringify(extra_info);
    gr.event_class = requestBody.agentDescription;
    gr.source = requestBody.source;
    gr.node = requestBody.host;
    gr.type = requestBody.type;
    gr.metric_name = requestBody.metric_name;
    gr.description = extra_info.message;
    gr.time_of_event = requestBody.time_of_event;
    gr.severity = severity;                     
    gr.resource = requestBody.resource;
    gr.resolution_state = resolutionState;
    gr.insert();                          
    }
    catch(er){
      gs.error(er);
      status=500;
      return er;
      }
    return "success";
})(request, body);

System Logs | All shows the JSON payload is making it completely, but there’s a syntax error related to JSON.parse that I haven’t been able to work through.

Am I doing something fundamentally wrong here? Anyone doing something similar successfully?

Thank in advance for any help or thoughts!

John

vNick · ‎01-28-2019

Hi John - you might try removing the spaces from the addition_info construct

{ "records":
  [
    {
    "source": "Logicmonitor",
    "event_class": "##AGENT_DESCRIPTION##",
    "node": "##HOST##",
    "resource": "##DataSource##",
    "metric_name": "##DPDESCRIPTION##",
    "type": "##ALERTTYPE##",
    "severity": "##LEVEL##",
    "time_of_event": "##DATE##",
    "description": "##MESSAGE##",
    "additional_info":"{'alertID': '##ALERTID##', 'alertStatus': '##ALERTSTATUS##',                                            'dataPoint': '##DATAPOINT##', 'dataSource': '##DataSource##', 'date': '##DATE##', 'dataSourceDescription': '##DSDESCRIPTION##', 'dataSourceInstanceDescription': '##DSIDESCRIPTION##', 'dataPointDescription': '##DPDESCRIPTION##', 'eventSource': '##EVENTSOURCE##', 'group': '##GROUP##','host': '##HOST##', 'hostname': '##HOSTNAME##', 'hostDescription': '##HOSTDESCRIPTION##', 'deviceURL': '##DEVICEURL##', 'instance': '##INSTANCE##', 'instanceGroup': '##INSTANCEGROUP##', 'level': '##LEVEL##', 'start': '##START##', 'startEpoch': '##STARTEPOCH##','duration': '##DURATION##', 'threshold': '##THRESHOLD##', 'value': '##VALUE##', 'agentID': '##AGENTID##', 'agentDescription': '##AGENT_DESCRIPTION##', 'backupAgentID': '##BACKUPAGENTID##','backupAgentDescription': '##BACKUPAGENT_DESCRIPTION##','externalTicketID': '##EXTERNALTICKETID##','end': '##END##', 'website': '##WEBSITE##','checkPoint': '##CHECKPOINT##','detail': '##DETAIL##','websiteDescription': '##WEBSITEDESCRIPTION##','websiteGroup': '##WEBSITEGROUP##','url': '##URL##','websiteRequest': '##WEBSITEREQUEST##','websiteResponse': '##WEBSITERESPONSE##','eventCode': '##EVENTCODE##','logFile': '##LOGFILE##','sourceName': '##SOURCENAME##','message': '##MESSAGE##','alertType': '##ALERTTYPE##'}"
    }
  ]
}

John Shores1 · ‎01-28-2019

I'm willing to give that a try, but that format is in compliance with the examples in the SN documentation and it's being ingested into the em_event table without errors.

stevemacamway · ‎01-28-2019

John,

Have you checked to make sure there are no single or double quotes inside the strings that replace the ##data## elements?

Any chance you can post one of the events that are created in the em_event table without the script?

One other thing to look at is using Postman to push in a super-simplified event (single words for each field) that meets the minimum requirements for your code to run through. This will help you to see if the code is hiccupping on the data, or just errors in your code (doubtful). Then you can start replacing the simple data with the real data, field by field, to find what breaks it.

Steve

John Shores1 · ‎01-28-2019

Here's a SN log entry from the script:

inside em logicmonitor event processor, body: { "records":  [   {   "source": "Logicmonitor",   "event_class": "REDACTED",   "node": "REDACTED",   "resource": "SSL encrypted http page load time",   "metric_name": "",   "type": "alert",   "severity": "warn",   "time_of_event": "2019-01-27 21:28:05 CST",   "additional_info":"{    'alertID': 'LMD1121312',     'alertStatus': 'active',        'dataPoint': 'ResponseTime',     'dataSource': 'HTTPS-443',     'date': '2019-01-27 21:28:05 CST',     'dataSourceDescription': 'SSL encrypted http page load time',     'dataSourceInstanceDescription': '',     'dataPointDescription': '',     'eventSource': '',     'group': 'Devices by Type\/Infosec Devices, Sourcefire\/CSC, Devices by Type\/Linux Servers',    'host': 'REDACTED',     'hostname': 'REDACTED',     'hostDescription': '',     'deviceURL': 'https:\/\/REDACTED.com\/santaba\/uiv3\/device\/index.jsp#tree\/-d-3882',     'instance': '443',     'instanceGroup': '',     'level': 'warn',     'start': '2019-01-27 21:27:16 CST',     'startEpoch': '1548646036000',    'duration': '0h 0m',     'threshold': '> 550',     'value': '555.0',     'agentID': '4',     'agentDescription': 'REDACTED',     'backupAgentID': '0',    'backupAgentDescription': 'none',    'externalTicketID': '0',    'end': '',     'website': '',    'checkPoint': '',    'detail': '',    'websiteDescription': '',    'websiteGroup': '',    'url': '',    'websiteRequest': '',    'websiteResponse': '',    'eventCode': '',    'logFile': '',    'sourceName': '',    'message': 'LMD1121312 warn - REDACTED HTTPS-443 ResponseTime\nThe SSL  page on REDACTED is taking 555.0 ms to respond. This puts the host in warn state, as it is longer than the threshold of > 550\nThis has been going on since 2019-01-27 21:27:16 CST - or 0h 0m ago.\r\n\r\nThis alert matches the rule Warning\nAlert now is going to stage 1 recipients:  REDACTED(HTTP POST to ServiceNow)',    'alertType': 'alert'    }"   }  ] }, headers: {"authorization":"Basic REDACTED","content-length":"1957","post":"POST","x-forwarded-proto":"https","x-forwarded-host":"REDACTED.com","host":".com","content-type":"application/json; charset=UTF-8","connection":"Keep-Alive","x-forwarded-for":"hrb.service-now","accept-encoding":"gzip","accept":"application/json","user-agent":"okhttp/3.9.1"}