1. Enable the Extract fields toggle switch.
2. From the Extract from field menu, select a value. The menu displays the standard event fields, additional info, and tags. The field value is then displayed. You can also manually enter a field name that is not displayed and add your own value.

   The example source events pane displays a sample of recent events in your system. If no events are displayed, you may create an event, see Create or edit an event rule.

3. In the Regular expression field, create a regular expression to extract the value that you want to extract.
   注:

   You can compose text using regular expression (regex) format conventions. Use one or more capture groups with parentheses to extract parts of the input. Capture groups in the regular expression are assigned to alert outputs based on the order in which they appear. The regex must match the entire input, so consider surrounding your regex with .* on each end. For example, (\w+).acme.com.* captures the host name in a fully qualified domain name. The parser for the regex engine is Perl Compatible Regular Expressions (PCRE) compatible. Nested JSON data is preprocessed to strip quotes and replace colons with equal signs.

4. In the Alert output field, select an alert field or an alert tag. You can also manually enter a new field name.

   If you want to add an alert tag, select the Set as a tag check box.

   ヒント:

   Create alert tags that can be shared across sources for easier filtering and grouping, such as the out-of-the-box tags.

   

5. Select Preview multiple events to verify that the regular expression (regex) is general-purpose enough to correctly extract values across many examples.
   注:

   This option is available only when example source events are available and matched with the regex filter.

   

To include additional fields for extraction, select + Add fields.

1. Enable the Copy or compose fields toggle switch.
2. From the Composition field, select alert fields and/or alert tags, manually enter a field name or even add free text. Alert fields are displayed in the ${field} syntax format.
3. In Output to field, select an existing alert field or alert tag, or manually enter an alert field. Output to field is an enriched alert containing the composed alert data.
   For easier grouping, you can select a tag from the menu. If you want to use the new field name as a tag for grouping, select the Set as a tag check box.

   ヒント:

   Create alert tags that can be shared across sources for easier filtering and grouping, such as the out-of-the-box tags.

   

To create additional alert data compositions, select + Add fields.

1. Enable the Change alert values toggle switch.
2. In Alert field to change values for field, enter the field in the alert that you want to map values for.
3. In the When value is field, enter original value in the alert field that you want to change.
4. In the Change it to field, enter the new value that will replace the original value in the alert field.

   To add more field values, select + Add value and to add more fields to map, select + Add field to map.

   

This option allows you to change how alerts are bound or linked to a Configuration Item (CI), ensuring alerts are associated with the correct IT components for better visibility and faster issue resolution.

The default and most common way to bind alerts to CIs is based on the Node field. This works out of the box with no configuration needed. Use it by populating the Node field in your alert with a CI’s Name, Fully Qualified Domain Name (FQDN), IP, or MAC address. This supports host CIs including Computers, Operating Systems (OS), Switches, Routers, or any CI type or any class that extends the [cmdb_ci_hardware] table.

You may enable this action to improve the CI identification for other types of CIs such as processes or service instances. The system searches for a matching CI in the appropriate CMDB table based on the selected CI type. For example, if you select VMware Virtual Machine Instance as the CI class, the system searches for a matching record in the [cmdb_ci_vmware_instance] table using details from the event rule record, specifically the Additional info fields.

1. Enable the Improve configuration item (CI) identification toggle switch.
2. Select which CI class you’d like to identify: In the CI class field, specify the CI class for which the event’s node field is evaluated during CI identification. This determines the type of CI the system attempts to identify first.

   Select View items to see the list of CIs of this type and their attribute values.

3. Identify the CI when the following alert fields match the CI attributes: In this section, map alert fields to CI attributes to help the system find the correct CI:
   • Alert field: Select the alert field that contains identifying information.
   • CI attribute: Select the CI attribute that the alert field must map to.
4. Use Advanced options to control how the system treats the alert node field during CI identification.

   • Node field behavior: Choose one of the following:
     • Consider node field: Uses the alert’s node value during CI identification.
     • Ignore node field: Ignores the alert’s node value.
     Based on the selected CI class, the system recommends whether you should consider or ignore the node field, but you can override this recommendation if needed.
   • Use all matching additional info fields: Select this check box to use all matching fields from the event’s Additional Info for CI identification instead of mapping individual fields.
5. + Add fallback: Add fallback CI class and field mappings to define alternate identification logic. If the primary configuration does not identify a CI, the system evaluates each fallback in order until it finds a match.

   Ensure that the Node field in the alert is populated correctly to identify a host CI. The CI you are identifying must have a runs on relationship to the host CI or be mapped to the host.

6. Ensure that at least one CI attribute is present in the Additional info field of the alert.

   For instructions on how to populate these fields, see Set additional info fields to match CI attribute format. The system attempts to match values from the Additional info field of the alert with the CI table. If a match is found, the alert is bound to the corresponding CI.

7. Select Test CI identification to test the CI identification on sample events.

   After successful CI identification, the system displays a message with the relevant details.

   If CI identification fails, the system shows a message explaining the details.

For more information on CI binding, see Binding alerts to CIs.