Create event field mappings

릴리스 버전: Australia

업데이트 날짜 2026년 03월 12일

소요 시간: 29분

Use event field mappings to map values from specific event fields to values in other fields to provide more comprehensive information in an alert. Use team-based integrations in event rules to make sure that connector ownership and execution of rules give precedence to global rules. Teams can maintain consistency and hierarchy while offering flexibility and customization options.

시작하기 전에

Role required: evt_mgmt_admin

이 태스크 정보

Create the rule to match the event by its class and original values. Also, specify the new values to replace the original values in the event.

프로시저

Navigate to All > Event Management > Rules > Event Field Mapping.

Select New or open an existing rule to edit and fill in the fields.

표 1. Event Field Mapping form
Field	Description
Name	Event field mapping name.
Source	Event monitoring software that generated the event, such as SolarWinds or SCOM. Maximum length: 100 characters.
Order	Number to define the order in which this action should be processed. Actions with lower numbers are processed first.
Assignment group	For Team-based integrations, select an assignment group. If no assignment group is defined in the event field-mapping rule, then this rule is considered global. When the rules are running – first the global rules run and then the rules that belong to the assignment group that the event’s source instance belongs to.
Mapping type	Mapping mechanism that is used to change an event field value. Map field and transform value (Single field): Maps the Source field value to the matching value in the Transform value pairs [em_mapping_pair] table and populates the Target field. Source and Target fields may be event fields, additional info fields, or alert tags. Create or update field and set constant value (Constant): Sets a constant value to a Target field. The Target field may be an event field, additional info field, or alert tag. Map field (Copy field): Copies the exact value of a Source field to the specified Target field. The Source and Target fields may be Event field, Additional info field, or alert tags. Map field and transform value using regex: Generically maps the value from the Source field to the matching value in the Transform value pairs table and populate the Target field. Source and Target fields may be event, additional info, or alert tags fields. Map field using regex: Copies the value from a generically defined Source field to the Target field. The Source field must be a field from the event additional info field. The Target field may be the field of event, additional info, or alert tag. With this type, you can generically find the name of the Source field by using a regular expression (regex). Map field and copy value from regex group: Copies part of the Source field value to the Target field. Source and Target fields may be event fields, additional info fields, or alert tags. Define a regex to specify what part of the Source field should be copied. Advanced mapping using script: Implements your own logic for event values transformation by using a script. When the 'Run after binding' check box is selected, the rule is executed after the CI binding phase and uses the dedicated script that also has the sys_id of the CI in the input parameters. Warning: Complex scripts may affect event processing performance. Map field from reference table Use this rule type to extract a Source field value from the selected Reference table by matching the Field to matchvalue to the Matching alert field value and then mapping the Source field value to the Target field. The Matching alert field and the Target field may be event fields, additional info fields, or alert tags.
Filter	A condition for event field mapping. Select Add Filter Condition or Add "OR" Clause to configure multiple conditions. 주: The filter is case-sensitive.
Active	Activates or deactivates the event field mapping. If possible, find and apply another event field mapping rule.
Run after binding	When selected, the rule is executed after the CI binding phase. Use the relevant prefix to retrieve values from the CI record: alert_cmdb_ci. to retrieve a field from the CI record. For example: Use 'alert_cmdb_ci.assignment_group’ to populate (and transform) an alert 'assignment_group' field with the value of the CI’s assignment group. Dot-walk to a related record is also possible. For example, use alert_cmdb_ci.asset.model alert_cmdb_ci_key. to retrieve a value from the CMDB Tags table. For example, alert_cmdb_ci_key.subscription notes. Warning: Using the 'Run after binding' feature may affect event processing performance. 주: This check box is displayed only for the following Mapping types: Map field and transform value (Single field), Map field (Copy field), Map field and transform value using regex, Map field and copy value from regex group, and Map field from reference table.

If you selected Map field and transform value (Single field), fill in the fields as appropriate.

표 2. Map field and transform value (Single field) fields
Field	Description
Source field	Event field to map - includes all event and additional info fields. Note: For Additional info fields use: "additional_info.<field name>". When the 'Run after binding' check box is selected, you can use the alert_cmdb_ci and the alert_cmdb_ci_key prefixes to receive CI related data.
Target field	Event field where the mapping rule inserts or updates the value. When this field is identical to the Source field, the mapping rule updates the value in memory of the event field. Alert tags can also be defined by using the <t_> prefix.
Run after binding	When checked, activates Event field mapping after CI binding. Use the following prefix to retrieve values from the CI record: alert_cmdb_ci. to retrieve a field from the CI record. For example, use 'alert_cmdb_ci.assignment_group’ to populate (and transform) an alert 'assignment_group' field with the value of the CI’s assignment group. Dot-walk to a related record is also possible. For example, use alert_cmdb_ci.asset.model alert_cmdb_ci_key. to retrieve a value from the CMDB Tags table. For example, alert_cmdb_ci_key.subscription notes. Warning: Using the 'Run after binding' feature may affect event processing performance.

표 3. Key fields (Transform Value Pairs section)
Field	Description
Key	Value that the mapping rule searches for. Whenever the event field has this value, the mapping rule adds the value listed in the Source field field to the field listed in the Target field. This field is displayed when the Mapping type is Map field and transform value (Single field). Select + to add more Key fields, as required.

Typical use case: To map the 'event_severity' field in the additional info field with possible values [such as WARNING, MINOR, CRITICAL, CLEAR, MAJOR] to the severity field, configure the following:

Source field: 'event_severity'
Target field: 'severity'
Transform value pairs:
- From value: 'WARNING', to value: '4'
- From value: 'MINOR', to value: '3'
- and so forth...

If you selected Create or update field and set constant value (Constant), fill in the fields as appropriate.

표 4. Create or update field and set constant value (Constant) fields
Field	Description
Target field	The Target field may be an an event field, additional info field, or alert tag. Typical use case: Set alert severity to 1 for all events that match the filter.
Value	Value you want to use for the To field. This field is displayed when the Mapping type is Constant.

Typical use case: Set alert severity to 1 for all events that match the filter.

If you selected Map field (Copy field), fill in the fields as appropriate.

표 5. Map field (Copy field) fields
Field	Description
Source field	Source field value to be copied to the Target field field. The Source field may be an event field, additional info field, or alert tag.
Target field	Event field where the mapping rule inserts or updates the value. The Target field may be an event field, additional info field, or alert tag.
Run after binding	When checked, activates Event field mapping after CI binding. Use the relevant prefix to retrieve values from the CI record: alert_cmdb_ci. to retrieve a field from the CI record. For example, use 'alert_cmdb_ci.assignment_group’ to populate (and transform) an alert 'assignment_group' field with the value of the CI’s assignment group. Dot-walk to a related record is also possible. For example, use alert_cmdb_ci.asset.model alert_cmdb_ci_key. to retrieve a value from the CMDB Tags table. For example, alert_cmdb_ci_key.subscription notes. Warning: Using the 'Run after binding' feature may affect event processing performance.

Typical use case: To copy the IP field from the event additional info field to the alert field node, use the following:

'Source field': ip
'Target field': node

If you selected Map field and transform value using regex, fill in the fields as appropriate.

표 6. Map field and transform value using regex
Field	Description
Source field	Source field value to be copied to the Target field field. The Source field may be an event field, additional info field, or alert tag.
Target field	Event field where the mapping rule inserts or updates the value. The Target field may be an event field, additional info field, or alert tag.
Run after binding	When checked, activates Event field mapping after CI binding. Use the relevant prefix to retrieve values from the CI record: alert_cmdb_ci. to retrieve a field from the CI record. For example, use 'alert_cmdb_ci.assignment_group’ to populate (and transform) an alert 'assignment_group' field with the value of the CI’s assignment group. Dot-walk to a related record is also possible. For example, use alert_cmdb_ci.asset.model alert_cmdb_ci_key. to retrieve a value from the CMDB Tags table. For example, alert_cmdb_ci_key.subscription notes. Warning: Using the 'Run after binding' feature may affect event processing performance.

Typical use case: To map severity from the field color in the Additional info field to the Severity field, use:

Source field: 'color'
Target field: 'severity'
Transform value pairs:
- From value: '.*red', To value: '1'. This covers both 'dark red', 'light red', and other values containing 'red' and maps them all to '1'.
- and so forth...

표 7. Key fields (Transform Value Pairs section)
Field	Description
Key	Value that the mapping rule searches for. Whenever the event field has this value, the mapping rule adds the value listed in the Source field field to the field listed in the Target field. This field is displayed when the Mapping type is Map field and transform value (Single field). Select + to add more Key fields, as required.

If you selected Map field using regex, fill in the fields as appropriate.

표 8. Map field using regex fields
Field	Description
Source field	Generically defined Source field value to be copied to the Target field field. The Source field must be a field from the event additional info field. With this type, you can generically find the name of the Source field by using a regular expression (regex).
Target field	Event field where the mapping rule inserts or updates the value. The Target field may be an event field, additional info field, or alert tag.

Typical use case: To map the 'region' field from the additional_info field that appears as 'tags.region' or 'tags|region' or 'cloud.region' to an alert tag t_region, use:

'Source field': *region
'Target field': t_region

If you selected Map field and copy value from regex group, fill in the fields, as appropriate.

표 9. Map field and copy value from regex group fields
Field	Description
Source field	Generically defined Source field value to be copied to the Target field field. The Source field must be a field from the event additional info field. With this type, you can generically find the name of the Source field by using a regular expression (regex).
Target field	Event field where the mapping rule inserts or updates the value. The Target field may be an event field, additional info field, or alert tag.
Run after binding	When checked, activates Event field mapping after CI binding. Use the relevant prefix to retrieve values from the CI record: alert_cmdb_ci. to retrieve a field from the CI record. For example, use 'alert_cmdb_ci.assignment_group’ to populate (and transform) an alert 'assignment_group' field with the value of the CI’s assignment group. Dot-walk to a related record is also possible. For example, use alert_cmdb_ci.asset.model alert_cmdb_ci_key. to retrieve a value from the CMDB Tags table. For example, alert_cmdb_ci_key.subscription notes. Warning: Using the 'Run after binding' feature may affect event processing performance.
Regex group expression	._._(.)_.

Typical use case: To extract the third octet from the IP and save it in the additional info third_octet field, use:

'Source field': ip
'Target field': third_octet
'Regex group expression': .*_.*_(.*)_.*

If you selected Advanced mapping using script, fill in the fields as appropriate.

표 10. Advanced mapping using script fields
Field	Description
Script	The code editor gives text editor support for inline scripts. The code editor has these features for the supported language services and Inline scripts: Syntax coloring, indentation, line numbers, and automatic creation of closing braces and quotes, Auto-suggestions, and auto-completions. Editing tips: To insert a fixed space anywhere in your code, press the Tab key. To indent a single line of code, select in the leading white space of the line and then press Tab. To indent one or more lines of code, select the code and then press Tab. To decrease the indentation, press Shift+Tab. To remove one tab from the start of a line of code, select in the line and press Shift+Tab. To declare variables, use the var keyword so that they remain within the proper JavaScript scope.
Run after binding	When the 'Run after binding' check box is selected, the rule is executed after the CI binding phase and uses the dedicated script that also has the sys_id of the CI in the input parameters. Warning: Complex scripts may affect event processing performance.

If you selected Map field from reference table, fill in the fields as appropriate.

표 11. Map field from reference table fields
Field	Description
Reference table	The reference table. Select the table from where the field is to be mapped to the Target field in the event.
Field to match	The field from the Reference table to be matched with the Matching alert field from the event. It’s used to filter out the Reference table records.
Source field	Source field value to be copied to the Target field field. The Source field is the field of the table that was selected as the Reference table.
Matching alert field	Event field to find matching Reference table records. The Matching alert field is matched with the Field to match field. The Matching alert field may be the Event field, Additional info field, or the Alert tag.
Target field	Event field where the mapping rule inserts or updates the value. The Target field may be an event field, additional info field, or alert tag.
Run after binding	When checked, activates Event field mapping after CI binding. Use the relevant prefix to retrieve values from the CI record: alert_cmdb_ci. In the Matching alert field, to retrieve a value of a field from a CI record. For example: 'alert_cmdb_ci.ip_address’ retrieves IP address information of bound CIs. When the Matching alert field and the Field to match fields are reference fields, dot-walking to sys_id in the Matching alert field is required. For example, to use the 'assignment_group' value of bound CIs to match with the Field to match field, use the following expression in the Matching alert field: alert_cmdb_ci.assignment_group.sys_id alert_cmdb_ci_key. to retrieve a value from the CMDB Tags table. For example, alert_cmdb_ci_key.subscription notes. Warning: Using the 'Run after binding' feature may affect event processing performance.

Typical use case: Extract 'short_description' from the 'pc_vendor_cat_item' records matching its 'name' field with the 'cat_item_name' field in the Additional info field of the event and map it to the 'description' field on the event in the following fields:

'Reference table': pc_vendor_cat_item
'Field to match': name
'Source field': short_description
'Matching alert field': cat_item_name
'Target field': description

Right-click the form header and select Save.
Select Submit.

예

The following values comprise a predefined rule that is applied to events in the Trap From Enterprise 9 class. If the events contain the snmpTrapOID element with a value of iso.org.dod.internet.private.enterprises.cisco.0.0, the mapping rule changes the value to reload in the alerts. If the events contain the snmpTrapOID element, a value of iso.org.dod.internet.private.enterprises.cisco.0.1, the mapping rule changes the value to tcpConnectionClose in the alerts.


Field	Values
Name	cisco.snmpTrapOID
Source	Trap From Enterprise 9
Mapping type	Map field and transform value (Single field).
Source field	snmpTrapOID
Target field	snmpTrapOID
Transform Value Pairs	Pair 1 Key: iso.org.dod.internet.private.enterprises.cisco.0.0 Value: reload Pair 2 Key: iso.org.dod.internet.private.enterprises.cisco.0.1 Value: tcpConnectionClose

다음에 수행할 작업

Test an event field mapping by sending an event that includes a field that is present in the event field mapping.