Incomming events are missing value in Severity field - how do I set the value - via Event Rules??

Go to solution
JanneHjorth
Tera Contributor

‎10-26-2020 12:59 AM

Hi all.

I'm new to Event Management and at the moment we experience incomming events, where Severity field is empty. So no alerts are created. I have this record:
find_real_file.png

How can I set a value in Severity field and secure the creation of alerts??

I really need a helping hand here - thanks in advance.

Regards, 

Janne

Labels:
Preview file
84 KB
0 Helpfuls
  • 3,286 Views
1 ACCEPTED SOLUTION

Go to solution
patrickkenney
Kilo Expert

‎10-26-2020 07:26 AM

The Manual attributes will create a new Additional Details JSON pair. You will want to place a number, 0-5, into the Severity field. When the Transform contains a variable representation like ${severity}, it will use the value sent from the default event. In your case that is currently empty.

 

 

View solution in original post

12 REPLIES 12

Go to solution
Rahul Priyadars
Giga Sage
Giga Sage

‎10-26-2020 01:12 AM

Hi,

Severity is important Data Point of Event coming from Any Source. Its value like Info, Warning, major, minor Critical etc drives the Priority of Alert/Incident.

Given Screen shot is not of Alert Its on evemt .It is event data em_event table. When any event rule matches then it spawns the ALERT (em_alert).

Please check your Source UMON System as per Screenshot why its not sending the values.

Regards

RP

 

 

Go to solution
JanneHjorth
Tera Contributor
In response to Rahul Priyadars

‎10-26-2020 04:46 AM

Hi Rahul.

 

There was an error in source event handling. But if I happens again - is it then possible to make sure the Severity field is filled out, så that Alerts can be created??

 

Regards Janne

0 Helpfuls

Go to solution
Rahul Priyadars
Giga Sage
Giga Sage
In response to JanneHjorth

‎10-26-2020 04:50 AM

Hi

is it then possible to make sure the Severity field is filled out--> Technically it can be but with What Values-Info,Warning,Minor,Major,Critical. Its more of a Functional Call aspect as you can not just fill any Value in Severity in Case its NULL values.

Scenario can be dangerous- Let say event received and it actuality it was Minor but in event table it reached as NULL So what value you will fill. Setting just a Default can be disastrous.

Regards

RP

0 Helpfuls

Go to solution
dbehnood
Tera Expert

‎10-26-2020 06:34 AM

Hi Janne,

 

Severity needs to be passed as an integer value, and if I recall, they are:

Clear - 0 (this will close the Alert)

Critical - 1

Major - 2

Minor - 3

Warning - 4

Info/OK - 5 (don't ask me why they changed info to OK - it is misleading)

 

-Dom