Creating a new dynamic enrichment event management policy

This topic provides instructions for creating a new dynamic enrichment event management policy and for creating a new dynamic enrichment blackout policy.

Before you begin 

• Ensure that the timeframe referenced in your dynamic enrichment source file exists. If it does not exist, you must define the timeframe as described in How to create a new local timeframe.
• Determine which event selector you want to apply to your dynamic enrichment policy. If none of the out-of-the-box event selectors are appropriate for your policy, define an event selector and specify event selection criteria as described in How to create an event selector and specify event selection criteria. 
• Create a data enrichment source file as described in How to create and edit a dynamic enrichment source file.

To create a new dynamic enrichment policy

1. From the Event Management Policies tab of the Administration View, expand the By Policy Type folder.
2. Under the By Policy Type folder, select Dynamic Enrichment Policy.
3. Click Add Policy.
   
   A Selector Chooser dialog box is displayed.
   
4. From the Selector Chooser dialog box, select the event selector that you want to use for this policy and click OK. 
   
   The Dynamic Enrichment Policy Details tab, shown in the following figure, is displayed in the details pane of the Administration View.
   
   Dynamic Enrichment Policy Details tab
   
5. In the Policy Name field, type a unique alphanumeric name for the event management policy. The name must contain no spaces.
6. In the Description field, type a description of the event management policy.
7. To enable the policy immediately, select the Enabled check box. If you do not want to enable the policy at this time, you can return to this dialog box and enable the policy later.

8. In the Execution Orderfield, if more than one policy exists, specify the order of execution.

   Note

   When a new policy is created, the number shown in the Execution Order field should be one greater the largest current execution order.
   
   If two policies have the same execution order, they run in indeterminate order.

9. In the Policy Activation Timeframessection, define the periods of time the event management policy should be active (when enabled) by performing the following actions:
   1. Select one of the following choices: 
      • To make the event management policy active continuously, select Always Active.
      • To specify when the policy is active or inactive, select Define Activation Timeframes.
        The Active Timeframes and Not Active Timeframes lists are displayed.
   2. If you selected Define Activation Timeframes, depending on how you want to define the timeframe for your policy do one or both of the following:
      • To specify the periods of time when the policy should be active, select the Active Timeframes check box and one or more timeframes from its scrollable list. 

      • To specify the periods of time when the policy should be inactive, select the Not Active Timeframes check box and one or more timeframes from its scrollable list.

        Note

        You can select both check boxes to create active and inactive time periods. However, the inactive time period takes precedence over the active time period.

10. If you do not want to accept the default event class, you can select an event class by clicking the ellipses button in the Event Class field of the Match Fields section, selecting a new event class, and clicking OK.
    The Event Class determines what slots are available in the Available Event Fields column.
11. In the Class Chooser dialog box, select an event class and click OK.
12. In Available Event Fields column, select the slots that correspond to the match fields in your dynamic enrichment source file. Use the left arrow button to move those slots into the Match Fields column. You might select and move multiple slots at the same time.

13. In Available Event Fields column, select the slots that correspond to the output fields in your dynamic enrichment source file. Use the right arrow button to move those slots into the Output Fields column. You might select and move multiple slots at the same time.

    Warning

    It is critical that the policy definition and the data enrichment source file contain the exact same number of match fields and output fields in the same order. If the match fields and output fields in the enrichment file and the policy do not match, the policy does not run.
    
    For example, if you were creating a file similar to the location.csv file that is included with the product, you must select the Host slot as the Match Field and the Location slot as the Output Field to correspond to the slots in the location.csv file.

14. (Optional) In Available Event Fields column, select those slots which if changed must result in the dynamic enrichment policy to be applied again. 
    Use the down arrow button to move slots into the Redo Fields column. You might select and move multiple slots at the same time.

    Example

    Suppose you added the Host field under the Match Fields column and the Location field under the Output Fields column. Based on this matching criteria, the event policy is applied on particular events.

    Suppose the Status and Severity fields were added under the Redo Fields column. In this scenario, if one or more of these fields (added under the Redo Fields column) changed, the dynamic enrichment policy is again applied on the events matching the selection criteria.

15. (Optional) In the Match Fields section, activate the Match Tracing check box to add diagnostic notes to the event, if necessary.
    The match tracing information is written into the event under the mc_notes and mc_operations slots.

16. In the Match Table section, in the Type field, accept the default.

    Note

    Typically, you do not need to the change the value of the Type field. You can override the default; however, you must use a unique tag within the given match table.

17. In the Match Table section, in the Tag field, accept the default.

    Note

    The Tag field uniquely identifies the match table that is used by the policy instance.
    
    You do not need to the change the value of this field. You can override the default; however, you must use a unique tag within the given match table.

18. In the Match Table section, in the Data File field, do one of the following actions: 
    • Type the path to the enrichment data source. 
    • To browse for the enrichment data source, click the ellipses button . In the File Chooser dialog box, select the dynamic enrichment source file appropriate for your policy and click OK. For more information, see External enrichment data sources.
19. In the Match Table section, in the File Format field, select one of the following radio buttons to specify the type of data enrichment file to import:
    • Data file with this separator—Choose this option to import a flat, delimited file, such as a .csv file. Enter a separator to delimit the data column in the file.
      For example, if you are using a .csv file, enter a comma (,) as the separator.
    • PMEP file—Choose this option to import a PMEP table and select the appropriate PMEP format for your policy from the drop list: 
      • Blackout 
      • Blackout CSV 
      • Location 
      • Location CSV 
      • Service 
      • Service CSV 
      • Text 

      • Text CSV

        Note

        If you click PMEP file, the Event Class, Match Fields, and Output Fields are autopopulated with predefined values and become read-only.

20. Click OK.
    
    If this is the first time a policy is saved, the a confirmation dialog box is displayed as shown in the following figure.
    Warning about Redo Fields selected 
    (This message is displayed only if you added fields in the Redo Fields column.)
    
    Import confirmation
    
21. Click Yes.
    
    A green check mark should be displayed in the Enable column next to the policy in the event management policies list. (You might need to scroll the window to the right to see the Enable column.) The policy also should show up in the tree in the left pane of the administration console window.
22. Import the data from the dynamic enrichment source enrichment file as described in Importing dynamic enrichment source.

To create a new dynamic enrichment blackout policy

1. From the Event Management Policies tab of the Administration View, expand the By Policy Type folder.
2. Under the By Policy Type folder, select Dynamic Blackout Policy.
3. Click the Add Policy button
   
   A Selector Chooser dialog box is displayed.
   
4. From the Selector Chooser dialog box, select the event selector that you want to use for this policy and click OK.
   
   The Dynamic Blackout Policy Details tab is displayed in the details pane of the Administration View, as shown in the following figure.
   
   Dynamic Blackout Policy Details tab
   
5. In the Policy Name field, type a unique alphanumeric name for the event management policy. The name must contain no spaces.
6. In the Description field, type a description of the event management policy.
7. To enable the policy immediately, select the Enabled check box. If you do not want to enable the policy at this time, you can return to this dialog box and enable the policy later.

8. In the Execution Order field, if more than one policy exists, specify the order of execution.

   Note

   When a new policy is created, the number shown in the Execution Order field should be one greater the largest current execution order.
   
   If two policies have the same execution order, they run in indeterminate order.

9. In the Policy Activation Timeframes section, define the periods of time the event management policy should be active (when enabled) by performing the following actions:
   1. Select one of the following choices:
      • To make the event management policy active continuously, select Always Active.
      • To specify when the policy is active or inactive, select Define Activation Timeframes.
        The Active Timeframes and Not Active Timeframes lists are displayed.
   2. If you selected Define Activation Timeframes, depending on how you want to define the timeframe for your policy do one or both of the following:
      • To specify the periods of time when the policy should be active, select the Active Timeframes check box and one or more timeframes from its scrollable list.

      • To specify the periods of time when the policy should be inactive, select the Not Active Timeframes check box and one or more timeframes from its scrollable list.

        Note

        You can select both check boxes to create active and inactive time periods. However, the inactive time period takes precedence over the active time period.

10. If you do not want to accept the default event class, you can select an event class by clicking the ellipses button
    in the Event Class field of the Match Fields section, selecting a new event class, and clicking OK.
    
    The event class determines what slots are available in the Available Event Fields column.
11. In the Class Chooser dialog box, select an event class and click OK.
12. In Available Event Fields column, select the slots that correspond to the match fields in your dynamic enrichment source file. Use the left arrow button to move those slots into the Match Fields column. You might select and move multiple slots at the same time.

13. In Available Event Fields column, select the slots that correspond to the output fields in your dynamic enrichment source file. Use the right arrow button to move those slots into the Output Fields column. You might select and move multiple slots at the same time.

    Warning

    It is critical that the policy definition and the data enrichment source file contain the exact same number of match fields and output fields in the same order. If the match fields and output fields in the enrichment file and the policy do not match, the policy does not run.
    
    For example, if you were creating a file similar to the location.csv file that is included with the product, you must select the Host slot as the Match Field and the Location slot as the Output Field to correspond to the slots in the location.csv file.

14. (Optional) In the Match Fields section, activate the Match Tracing check box to add diagnostic notes to the event, if necessary.

15. In the Match Table section, in the Type field, accept the default.

    Note

    Typically, you do not need to the change the value of the Type field. You can override the default; however, you must use a unique tag within the given match table.

16. In the Match Table section, in the Tag field, accept the default.

    Note

    The Tag field uniquely identifies the match table that is used by the policy instance.
    
    You do not need to the change the value of this field. You can override the default; however, you must use a unique tag within the given match table.

17. In the Match Table section, in the Data File field, do one of the following actions:
    • Type the path to the enrichment data source. 
    • To browse for the enrichment data source, click the ellipses button.In the File Chooser dialog box, select the dynamic enrichment source file appropriate for your policy and click OK. For more information, see External enrichment data sources.
18. In the Match Table section, in the File Format field, select one of the following radio buttons to specify the type of data enrichment file to import:
    • Data file with this separator—Choose this option to import a flat, delimited file, such as a .csv file. Enter a separator to delimit the data column in the file.
      
      For example, if you are using a .csv file, enter a comma (,) as the separator.
    • PMEP file—Choose this option to import a PMEP table and select the appropriate PMEP format for your policy from the drop list:
      • Blackout
      • Blackout CSV
      • Location
      • Location CSV
      • Service
      • Service CSV
      • Text

      • Text CSV

        Note

         If you click PMEP file, the Event Class, Match Fields, and Output Fields are autopopulated with predefined values and become read-only.
19. Click OK.
    
    If this is the first time a policy is saved, the following confirmation dialog box is displayed:
    
    Import confirmation
    
20. Click Yes.
    
    A green check mark should be displayed in the Enable column next to the policy in the event management policies list. (You might need to scroll the window to the right to see the Enable column.) The policy also should show up in the tree in the left pane of the administration console window.
21. Import the data from the dynamic enrichment source enrichment file as described in Importing dynamic enrichment source.