Create event field mappings with advanced mapping script

  • Release version: Zurich
  • Updated September 10, 2025
  • 1 minute to read

    • Create event field mappings with advanced mapping scripts to transform raw event data into structured, meaningful information. This method goes beyond basic configurations, aligns fields with business context, and improves event correlation. By reducing alert noise and enhancing visibility, it helps teams respond faster and manage incidents more effectively.

    Before you begin

    Role required: evt_mgmt_admin

    Procedure

    1. Navigate to All > Event Management > Rules > Event Field Mapping.
    2. Select New to fill in the form fields or open an existing one to edit the required fields.
    3. In the Mapping type field, select Advanced mapping using script.
      If you selected Advanced mapping using script, fill in the fields as appropriate.
      Table 1. eventFieldMappingScript
      Name Type Description
      eventGr glide record GlideRecord representing the event.
      origEventSysId string Id of the event.
      Note:
      The GlideRecord event parameter is a temporary object, and therefore does not contain the id of the original event.
      fieldMappingRuleName string The name of this field mapping rule.
      Table 2. Returns
      Type Description
      boolean Value is true if the binding can proceed successfully, or false if the binding operation is aborted.
    4. Select Submit.

    Example

    The use case for this script is to automatically enrich incoming events with classification details before they are processed further. For example, by adding u_alert_classification = "Network" into the event’s metadata, the system can tag and group network-related alerts more effectively. This helps streamline event correlation, reduce noise, and improve routing so incidents are categorized and resolved faster.

    This script checks the event’s additional_info field, ensures it contains valid JSON, and then updates it by adding a new property called u_alert_classification with the value “Network.” If the JSON is invalid, it logs an error and stops the binding. Otherwise, it saves the updated data back to the event record and allows the binding to proceed.

    try {
        var addInfo = eventGr.getValue('additional_info');
        if (!addInfo) {
            addInfo = "{}";
        }
        var addInfoJson = {};
        // Parse JSON
        try {
            addInfoJson = JSON.parse(addInfo);
        } catch (parseError) {
            gs.error("Error parsing additional_info: " + parseError);
            return false;
        }
        addInfoJson.u_alert_classification = "Network";
        var updatedAddInfo = JSON.stringify(addInfoJson);
        eventGr.setValue('additional_info', updatedAddInfo);
        return true;
    } catch (e) {
        gs.error("The script type mapping rule '" + fieldMappingRuleName + "' ran with the error: \n" + e);
    }