Example: Field normalization in alert management

In some cases, the same information may exist under different field names across data sources. For instance, an incoming event from one source has the location stored under the field region, but in other source, the same information is captured under impacted_region. To avoid confusion and enable consistent grouping, filtering, or automation, we normalize these fields by creating a unified field — for example,t_region. This field pulls the value from region or from impacted_region depending what field is present in the event. This way, the normalized field t_region always holds the location value in a consistent manner, regardless of the original source field.

Alert tags field appears in the Alerts form. These tags are created by Event Rules and in Event mapping and are saved in the alert tags' table [em_alert_tags]. The naming convention used to create key/value pairs is t_<tag name>.​ This enables reusing tags in the event rules by allowing users to select tags that were previously defined.​ When new alert tags are defined, TBAC (Tag Based Alert Clustering) tags are automatically created.​ Using these TBAC tags, you can create new TBAC alert clustering definitions from the new source of tags​.