I have events coming into ServiceNow through SNMP. However, the source of events seems to have a very generic name and we want to change it to a more meaningful name so it becomes easier for users to identify the source of events that get converted into alerts.
here is the sampe SNMP event -
agent_address = 10.xxx.xx.xxx , enterprise = netappOnCommandUnifiedManager , generic_trap = 6 , int_ev_type = SNMP , ocumEventImpactLevel = 3 , ocumEventMessage = critical event on ep3dncf13-04 (Port Status Down) , ocumEventMessageDetails = Ports (e0i) are down , ocumEventName = Port Status Down , ocumEventSeverity = 5 , ocumEventSourceClusterFullName = ex3dncf1901 , ocumEventSourceClusterResourceKey = ca2e93f4-d94f-11e6-b9d1-00a0989b25fc:type=cluster,uuid=ca2e93f4-d94f-11e6-b9d1-00a0989b25fc , ocumEventSourceFullName = ex3dncf1901-0567 , ocumEventSourceHealthStatus = 4 , ocumEventSourceResourceKey = ca2e93f4-d94f-11e6-b9d1-00a0989b25fc:type=cluster_node,uuid=42855662-d90b-11e6-b93f-af2ae9456fed , ocumEventSourceScopedFullName = ex3dncf1901-0567 , ocumEventSourceScopedResourceKey = ca2e93f4-d94f-11e6-b9d1-00a0989b25fc:type=cluster_node,uuid=42855662-d90b-11e6-b93f-af2ae9456fed , ocumEventSourceType = 4 , ocumEventState = 1 , ocumEventTimestamp = 1492590728 , ocumSystemId = edf79322-e81e-4ef3-8c2c-7ee4fca5eb10 , peer_address = 10.xxx.xx.xxx , specific_trap = 13511 , timestamp = 219290764
I have created event rule to update the node value, but I am unable to override the source. The events come into ServiceNow like -
Alert created -
event Rule -
So, we want to update the source value from "Trap From Enterprise 789" to "netappOnCommandUnifiedManager" which is a a key value for enterprise in additional information/description fields of the events, tried to use field compose option, but it did not help. Then additionally would also like to keep the description short and override it the key value "ocumEventMessageDetails" . Can someone advise how to do it or any other alternative to make information in alerts simple and meaningful.
Thanks
Naveed
Hi Naveed,
The Source Instance field would be the better field to overwrite rather than the Source field. Why? It's because Event Management will auto-generate a message_key (for SNMP trap-derived Alerts) based on Source, Node, Type and Resource fields to match incoming Events to existing Alerts for de-duplication, flapping detection and updating severity (e.g. to clear paired events). If you change the Source field in an Alert and don't compose the message_key field (with an Event Rule Transform function) incoming events will fail to be matched to Alerts and you'll end up with lots of duplicate and/or un-matched Alerts, not to mention potentially many duplicated Incidents.
If you're comfortable with explicitly setting the message_key field with an Event Rule, then consider using an Alert Rule to apply an Alert Template that will overwrite the Source field with a "friendly" value. You can configure the Alert Rule to be triggered by any alert where "Source is Trap From Enterprise 789", and create an Alert Template that sets the Source field to your desired value.
In general, customers stick with the OOTB use of the Source field and are achieving significantly better than 100:1 Event:Incident consolidation ratios, so consider whether you really need to set the Source field, or whether an alternative like using the Source Instance field might achieve the same outcome.
As for setting the description field all you need to do is reference the SNMP trap varbind from the additional_info field in the Event Compose Fields section in an Event Rule Transform function. You do this by referencing the varbind using JSON format e.g. ${ocumEventMessageDetails} , as per the screenshot below:
Hope this helps.
