This documentation supports the releases of BMC Helix Operations Management up to December 31, 2021.

To view the documentation for the latest version, select 23.1 from the Product version picker.

Event enrichment for adding context

After unwanted events are filtered out, a smaller set of more relevant events are displayed on BMC Helix Operations Management. You can further enrich these events with meaningful information. You can provide more accurate information about the problem to the operators, which helps them address issues more efficiently.

As an administrator, enrich your ingested events with additional context to make them more meaningful.

Event enrichment provides the following advantages:

  • Provides additional information or more accurate information about the problem. In some cases, all the raw events might not include all the necessary information to enable an operator to investigate and resolve a problem while monitoring events. This context can help operators address issues faster and more efficiently. 
  • Normalizes events coming from different sources and in different formats. For example, one event stream might display location as part of the domain name and another event stream might display location as part of the message. By formatting all the events consistently, operators perform more effective processing of events (in terms of event enrichment, event suppression, and so on)
  • Helps other administrators correlate events based on a more refined criteria resulting in situations that are easier to analyze and solve. It also helps fine-tune the out-of-the-box event clusters resulting in more meaningful event patterns. 

The following sections orient you with the event enrichment process, the various enrichment scenarios, and enrichment methods. 

Event enrichment process

Events can be enriched by configuring a basic enrichment policy to update specific event attributes only or by performing the following kinds of advanced processing:

  • advanced enrichment
  • time-based enrichment
  • dynamic enrichment  

The following image illustrates the high-level process involved in advanced processing of events. 

  1. A huge volume of raw events are ingested from various event sources. The circles represent events flowing from various IT assets. 
    The incomplete circles represent events with inadequate information. 
  2. Raw events are classified and formatted. Similar events are deduplicated by the product based on a certain criteria. Additionally, events are suppressed if a suppression policy is configured.
  3. An incoming event arrives. The event selection criteria defined in the event policy acts as an initial filter that determines the events that will be processed.
  4. The event passes through a complex set of actions (policy workflow) that enrich and update the event data with additional context. 
    The workflow can enrich the event with static text, with external data, based on the result of complex conditions or mathematical functions, and based on other slot values in the same event.
    The solid circles represent the enriched events that are ready to be ingested.
  5. The enriched event is displayed on the Events page under Monitoring.

Event enrichment scenarios

The following table provides a list of enrichment scenarios, followed by the enrichment method that you can use to achieve that scenario, and the overall benefit.

Enrichment scenariosEnrichment methodReference

Enrich particular attributes of an event (Enum slot types only); for example, the event severity, priority, category, message, and location.  

Basic enrichmentCreating and enabling event policies
  • Enrich an event with external data.
  • Perform enrichment based on multiple If-Then scenarios in an external source file.
Dynamic enrichment
  • Enrich particular attributes of an event.
  • Enrich an event with static text.
  • Enrich an event based on the result of complex conditions or mathematical functions.
  • Enrich an event based on other slot values in the same event.
Advanced enrichment
  • Schedule a time duration after which enrichment actions need to be taken.
  • Enrich particular event attributes.
  • Enrich an event with static text.
  • Enrich an event based on the result of complex conditions or mathematical functions (complex root actions and void function excluded).
  • Enrich an event based on other slot values in the same event.
Time-based enrichment

Event enrichment methods

As an administrator, you can configure the following types of event policies for different types of enrichment:

  • Basic enrichment: Useful for performing simple, routine actions quickly.
  • Dynamic enrichment: Useful for performing enrichment using external data.
  • Advanced enrichment: Useful in the following scenarios: 
    • Performing complex event manipulation on a small subset of events.
    • Building configurations for a combination of isolated use cases.
  • Time-based enrichment: Useful for processing and enriching events with a time perspective.

A basic enrichment policy is the simplest type of enrichment. This policy type does not contain complex actions. It allows you to update particular event information coming from Enum slots (slots with a fixed set of values). 

With an advanced enrichment policy, you can enrich other event slots in addition to those that are configurable with basic enrichment. You can set up advanced actions for processing events. These actions can be used to perform advanced event processing such as using mathematical functions to arrive at the event slot value, adding a Lookup action to process existing events, adding advanced conditions based on which the processing should take place, or based on which the processing must be triggered. Advanced enrichment provides you a superset of tools that can be combined according to your needs to build a policy workflow.

Time-based enrichment can be considered an extension of advanced enrichment, which is available to you as a separate policy type to cater to a specific use case. Similar to an advanced enrichment policy, a time-based enrichment policy allows you to combine various actions to build a policy workflow. The difference is that time-based enrichment is meant to help you focus on enriching events after a time duration has lapsed. Therefore, the number of actions available in time-based enrichment policy are fewer compared to the advanced enrichment policy.

Dynamic enrichment is an extension of advanced enrichment. However, a dynamic enrichment policy contains a predefined and fixed set of actions that are run on an incoming event. Also, dynamic enrichment allows you to import external data and perform enrichment based on complex If-Then scenarios. 

Was this page helpful? Yes No Submitting... Thank you