Would like to set severity on event/ alert based on an attribute of affected CI

Nick9
Kilo Contributor

‎10-28-2020 12:46 AM

I have SNMP traps coming in, and while a MID Listener transform script would take care of setting some fields (resource, message key), I cannot set the severity until I check CMDB. 

I have tried setting a before insert rule on em_event in order to update it then, but the rule seems to be ignored. Oddly enough, if creating the event by hand in the platform, the rule works as expected. 

Any ideas how this could be achieved? Also, is there a way to capture the headers of an SNMP trap?

PS. I have also tried to place a rule before insert on the Alert. The rule works once - but after that, on subsequent events that should be matched to the same alert, severity is overwritten.

Kind regards,

Nick

Labels:
0 Helpfuls
  • 1,607 Views
11 REPLIES 11

Ashutosh Munot1
Kilo Patron
Kilo Patron

‎10-28-2020 04:47 AM

HI,

Let  me try to understand this: Do you mean that you dont have severity value on event?


Thanks,
Ashutosh

0 Helpfuls

Nick9
Kilo Contributor

‎10-28-2020 04:57 AM

I do not. I can determine it via a small script - but I do not have one coming in, therefore I need a way to either set it on the event itself, or on the alert only - but still, need to run a small script to figure what severity should be.

0 Helpfuls

Ashutosh Munot1
Kilo Patron
Kilo Patron
In response to Nick9

‎10-28-2020 06:38 AM

Hi,

Severity on event is very important field. It should be populated in advance if you want it to process and create event. 

BR on event table can cause issue with your event processing and have performance issue. When you create event manually BR will work but when the schedule JOB processes the event and updates it the BR wont trigger.

So you can determine the severity of the alert by using field mapping by passing some value in additional information field or description field.


Thanks,
Ashutosh

0 Helpfuls

Nick9
Kilo Contributor
In response to Ashutosh Munot1

‎10-28-2020 06:44 AM

I have used field mapping to set a default Severity - since I cannot determine it until I look into CMDB. But once I try to change the severity on the alert - I run into the issue described in the answer to DOM - it works only for the first event. Next event will overwrite the severity of the alert with the default one. 

As for BRs on the event, I have figured it out that they do not work when they come from a source (in this case traps)

Thanks,

Nick

0 Helpfuls

dbehnood
Tera Expert

‎10-28-2020 06:32 AM

Nick,

 

Is there any indicator on the Event that you can look for that indicates the environment (as that appears to be what you want to key off of)? If so, could you not create an Event Rule for each environment and use a transform rule to clear and set the desired Severity for that environment?

Alternatively, you could write a custom script that updates the Alert Severity after the event is processed.

 

-Dom

0 Helpfuls