Example: Binding alerts to non-host CIs

Release version: Australia

Updated March 12, 2026

4 minutes to read

Bind alerts to an application service (a non-host CI) using event rules and event field mapping. This example demonstrates how to achieve this by leveraging the IP address associated with the service.

Before you begin

Role required: evt_mgmt_admin

About this task

When an event is generated, it may not always include the exact name of the Application Service it affects. Instead, it might provide details such as an IP address. In this example, suppose application services are identified by IP addresses. Since the goal is to bind the alert to an Application Service, you need to determine which service name corresponds to the given IP address.

To achieve this, follow these steps:

Match the correct Application Service: Override the default binding and select Binding Type as CI field matching. The binding process needs to associate the alert with an Application Service, not a host. In the event rule, set the CI Type to Application Service so that the system searches for the service in the Application Service table (cmdb_ci_service_auto).
Extract the IP address from the event description: The event might contain a message like Service is down. IP address is: 196.1.1.24. You need to extract the IP address from this description for further processing.
Translate the IP address into a service name using Event Field Mapping: Use Event Field Mapping to look up the extracted IP address in the CMDB and find the associated application service. Once a matching service is found, its name is stored in the Name field of the event.
Bind the alert to the correct Application Service: If the service name is identified, the alert's CI is populated with that service.

Procedure

Navigate to All > Event Management > All Events.
Open the specific event for which you want to create an event rule.
Select Create Event Rule.
The new event rule page opens. Some fields in the event rule are populated based on the event record data, such as the Source field value.
In the Event Rule Info tab, in the Name field, enter application service binding.
Select the Binding tab.
In this tab, you select the CI type as a service (non-host) instead of a host because the goal is to bind alerts to an Application Service, not to a physical or virtual machine.
Perform the following steps:
1. Select the Override default binding check box.
2. In the Binding type field, select CI field matching.
3. From the CI type list, select Application Service.
Select the Transform and Compose Alert Output tab.

In this tab, you extract the IP address of the application service into a manually created field. Extracting the IP allows the system to look up the corresponding service in the Application Service table (cmdb_ci_service_auto). Without extracting the IP, the system wouldn’t be able to determine which Application Service the event belongs to, making it difficult to bind the alert correctly.
Perform the following steps:
1. Clear the Node field.
  When an event is processed, it often comes with multiple fields of information. The Node field typically contains the host or device name. However, since the goal is to bind the alert to an Application Service rather than a host, clearing the Node field ensures that the system focuses on identifying the correct service instead of mistakenly associating the alert with a host CI.
2. Under Event Input > Event Raw Info, select Description.
  The Edit Regex Expressions window opens.
3. In the Mark Expressions section, select the IP address, manually enter a field name (e.g., service_ip_address), and press Enter to save it.
4. Select Done.
  The IP address is extracted into the newly created service_ip_address field, which is added to the Additional info field of the alert. This allows it to be used later to identify the corresponding Application Service.
Select Submit in the event rule to save your changes.
Navigate to All > Event Management > Rules > Event Field Mapping.
In Event Field Mapping, configure the extracted IP address to map it to the corresponding service name. The event provides only an IP address, but alerts need to be associated with a service name (not just an IP). The system needs to map this IP to its corresponding Application Service so that teams can easily identify the impacted service.
Select New.
The Event Field Mapping window opens.

Perform the following:

Configure the extracted IP address to map it to the corresponding service name.


Field	Action
Name	Enter the name of the mapping. Example: mapping from ip_address to service name.
Source	Enter `AWS`. Note: The source is the same as the one in the Events record.
Mapping type	Select Map field and transform value (Single field)
Source field	Enter `service_ip_address`.
Target field	Enter `name`. The target field value is the column name in the Application Service table (cmdb_ci_service_auto) where the source field value is searched.
Transform value pairs
From value	196.1.1.24
To value	Corp E-mail

Select Submit.

The system extracts the IP address of the service from the event and stores it in the service_ip_address field. Since the Application Service table (cmdb_ci_service_auto) does not have a column for searching by IP address, the Transform value pairs feature is used to map the IP address to a name—in this case, Corp E-mail and and saves it in the name field within the Additional info field of the alert. The Target field specifies where to search for the Corp E-mail in the Application Service table. The system looks for Corp E-mail in the name column of the Application Service table (cmdb_ci_service_auto). If a match is found, the alert is bound to the corresponding Application Service.