This documentation supports the releases of BMC Helix Operations Management up to December 31, 2021.

To view the documentation for the latest version, select 23.1 from the Product version picker.

Event policy types, evaluation order, and templates

This topic provides information about the event policy types, the order in which event policies are evaluated, and the out-of-the-box event policy templates.


Event policy types

The different event policy types are:

  • Basic Enrichment: Processes events with refined slot values to make the events more meaningful.
  • Suppression: Automatically drops new events matching the event selection criteria.
  • Advanced Enrichment: Processes events with refined slot values based on advanced settings and the defined policy workflow.
  • Dynamic Enrichment: An extension of advanced enrichment, this policy helps you enrich events with external data. 
  • Time Based: Processes events with refined slot values after a scheduled duration of time and based on the advanced settings and the defined policy workflow. 
  • Correlation: Correlates and combines multiple matching events into a single aggregated event. 
  • Notification: Notifies users via email or incidents generated for Proactive Service Integration (PSR) about an event occurrence so that actions can be taken.


Policy evaluation order for processing events

In general, events flow through phases based on certain built-in rules. Each phase represents a logical state of processing.

The event policy types and blackout policies are associated with a particular phase through which the event must flow. These policies process each incoming event one phase at a time, and evaluate each event based on the built-in rules. 

Based on the built-in rules, policies are automatically run in the following evaluation order, irrespective of the order in which they were configured.

  1. Basic enrichment policy 
  2. Blackout policy
  3. Suppression policy
  4. Advanced enrichment policy and dynamic enrichment policy (between the two policies, that which was configured first is evaluated first) 
  5. Time-based enrichment policy
  6. Correlation policy
  7. Notification policy

The policy evaluation order supersedes the precedence number specified in the various types of policies. This means, even if you configure a separate event policy for each of the types with varying precedence numbers, the policy evaluation order is used to run the policies.

However, if you have multiple event policies of different types with varying precedence numbers, then policies of the same type are run based on the precedence number specified. 

Example scenarios

The lower the precedence, the higher the policy execution order. For example, a policy with the precedence 100 is executed before a policy with the precedence value 200.

Example 1

Policy namePolicy configuration Result
Policy 01
  • Type: Basic enrichment
  • Precedence: 100
  • Severity: Minor

Execution order: 

  1. Policy 01
  2. Policy 02
Policy 02
  • Type: Basic enrichment
  • Precedence: 200
  • Severity: Critical
  • Priority: Highest

Example 2

Policy namePolicy configuration Result
Policy 01
  • Type: Basic enrichment
  • Precedence: 100
  • Severity: Minor
  • Priority: Lowest

Execution order: 

  1. Policy 01
  2. Policy 02
Policy 02
  • Type: Basic enrichment
  • Precedence: 200
  • Severity: Critical

Example 3

Policy namePolicy configuration Result
Policy 01
  • Type: Basic enrichment
  • Precedence: 100
  • Severity: Minor
  • Priority: Lowest

Execution order: 

  1. Policy 01
  2. Policy 02
Policy 02
  • Type: Basic enrichment
  • Precedence: 200
  • Severity: Critical

The lower the precedence, the higher the policy execution order for the same policy type. With different policy types, the policies are executed in the following order:

  1. Basic enrichment policy 
  2. Blackout policy
  3. Suppression policy
  4. Advanced enrichment policy and dynamic enrichment policy (between the two policies, that which was configured first is evaluated first) 
  5. Time-based enrichment policy
  6. Correlation policy
  7. Notification policy
Example

Policy namePolicy configuration Result
Policy 01
  • Type: Basic enrichment
  • Severity: Minor
  • Priority: Low

Execution order: 

  1. Policy 01
  2. Policy 02
  3. Policy 03
Policy 02
  • Type: Basic enrichment
  • Severity: Critical
Policy 03
  • Type: Basic enrichment
  • Severity: Major


Example

Policy namePolicy configuration Result
Policy 04

Configuration 1

  • Type: Basic enrichment
  • Severity: Minor
  • Priority: Low

Execution order: 

  1. Configuration 01
  2. Configuration 02
  3. Configuration 03

Configuration 2

  • Type: Basic enrichment
  • Severity: Critical

Configuration 3

  • Type: Basic enrichment
  • Severity: Major


Example

Policy namePolicy configuration Result
Policy 01
  • Type: Basic enrichment
  • Precedence: 100
  • Priority: Lowest

Execution order: 

  1. Policy 01
  2. Policy 02
  3. Policy 04 Configuration 1
  4. Policy 04 Configuration 2
  5. Policy 04 Configuration 3
  6. Policy 03
Policy 02
  • Type: Basic enrichment
  • Precedence: 200
  • Priority: Lowest
Policy 03
  • Type: Correlation
  • Precedence: 50
Policy 04
  • Configuration 1
    • Type: Basic enrichment
    • Priority: Low
  • Configuration 2
    • Type: Basic enrichment
    • Severity: Critical
  • Configuration 3
    • Type: Advanced enrichment
    • Severity: Major


Where to go from here

To create, edit, enable, disable, or delete an event policy, see Creating and enabling event policies.

To understand advanced, time-based, and dynamic enrichment policies, see Advanced, time-based, and dynamic enrichment policies.

To understand correlation policies, see Correlating events.

To understand the out-of-the-box event classes and associated slots, see Event classification and formatting


Was this page helpful? Yes No Submitting... Thank you

Comments