This documentation supports an earlier version of BMC Helix Operations Management.To view the documentation for the latest version, select 23.1 from the Product version picker.

Event enrichment for adding context

After unwanted events are filtered out, a smaller set of more relevant events are displayed on BMC Helix Operations Management. You can further enrich these events with meaningful information. You can provide more accurate information about the problem to the operators, which helps them address issues more efficiently.

As an administrator, enrich your ingested events with additional context to make them more meaningful.

Event enrichment provides the following advantages:

  • Provides additional information or more accurate information about the problem. In some cases, all the raw events might not include all the necessary information to enable an operator to investigate and resolve a problem while monitoring events. This context can help operators address issues faster and more efficiently. 
  • Normalizes events coming from different sources and in different formats. For example, one event stream might display location as part of the domain name and another event stream might display location as part of the message. By formatting all the events consistently, operators perform more effective processing of events (in terms of event enrichment, event suppression, and so on)
  • Helps other administrators correlate events based on a more refined criteria resulting in situations that are easier to analyze and solve. It also helps fine-tune the out-of-the-box event clusters resulting in more meaningful event patterns. 

The following sections orient you with the event enrichment process, the various enrichment scenarios, and enrichment methods. 


Event enrichment process

Events can be enriched by configuring a basic enrichment policy to update specific event attributes only, or by performing the following types of advanced processing:

  • advanced enrichment
  • time-based enrichment
  • dynamic enrichment  

The following image illustrates the high-level process involved in advanced processing of events. 

event enrichment.png

  1. A huge volume of raw events are ingested from various event sources. The circles represent events flowing from various IT assets. 
    The incomplete circles represent events with inadequate information. 
  2. Raw events are classified and formatted. Similar events are deduplicated by the product based on a certain criteria. Additionally, events are suppressed if a suppression policy is configured.
  3. An incoming event arrives. The event selection criteria defined in the event policy acts as an initial filter that determines the events that will be processed.
  4. The event passes through a complex set of actions (policy workflow) that enrich and update the event data with additional context. 
    The workflow can enrich the event with static text, with external data, based on the result of complex conditions or mathematical functions, and based on other slot values in the same event.
    The solid circles represent the enriched events that are ready to be ingested.
  5. The enriched event is displayed on the Events page under Monitoring.


Event enrichment methods

As an administrator, you can configure the following types of event policies for different types of enrichment:

  • Basic enrichment: Useful for performing simple, routine actions quickly.
  • Dynamic enrichment: Useful for performing enrichment using external data.
  • Advanced enrichment: Useful in the following scenarios: 
    • Performing complex event manipulation on a small subset of events.
    • Building configurations for a combination of isolated use cases.
  • Time-based enrichment: Useful for processing and enriching events with a time perspective.

A basic enrichment policy is the simplest type of enrichment. This policy type does not contain complex actions. It allows you to update particular event information coming from Enum slots (slots with a fixed set of values). 

With an advanced enrichment policy, you can enrich other event slots in addition to those that are configurable with basic enrichment. You can set up advanced actions for processing events. These actions can be used to perform advanced event processing such as using mathematical functions to arrive at the event slot value, adding a Lookup action to process existing events, adding advanced conditions based on which the processing should take place, or based on which the processing must be triggered.

Advanced enrichment provides you a superset of tools that can be combined according to your needs to build a policy workflow. Advanced enrichment policies process only incoming events and not existing events. However, advanced enrichment policies that have the Trigger-If action process existing events.

You can also look up node details, such as node IP address, source, location, and so on, from BMC Discovery and use these details to enrich event slots as shown in the following image:

Enrich events with node details workflow.png

Important

  • If you use an advanced enrichment policy to enrich event slots that are modified by a deduplication policy, the enriched value for the slots in an existing event is updated with the slot values of the duplicate event when a deduplication policy is applied to events.
    To learn more about the slots that are modified by a deduplication policy, see Out-of-the-box-event-policies-and-templates.
  • If events of the out-of-the-box classes are closed by using an advanced enrichment policy, make sure to use a suppression policy to suppress redundant closed events of the out-of-the-box classes. To learn more about the out-of-the-box classes, see Event-classification-and-formatting.

  • If you configure the advanced enrichment policy to look up duplicate events of out-of-the-box classes, the enrichment policy might not execute when out-of-the-box deduplication policies execute before the enrichment policy to:

    1. Detect a duplicate incoming event.
    2. Update the existing event with details of the incoming event.
    3. Drop the incoming event.

    For more information about out-of-the-box deduplication policies, see Out-of-the-box-event-policies-and-templates.

Time-based enrichment can be considered an extension of advanced enrichment, which is available to you as a separate policy type to cater to a specific use case. Similar to an advanced enrichment policy, a time-based enrichment policy allows you to combine various actions to build a policy workflow. The difference is that time-based enrichment is meant to help you focus on enriching events after a time duration has lapsed. Therefore, the number of actions available in time-based enrichment policy are fewer compared to the advanced enrichment policy.

Important

  • If an incoming event matches the event selection criteria of multiple time-based policies with different precedence, the policy with the lowest precedence value is applied for processing the incoming event.
  • If an incoming event matches the event selection criteria of multiple time-based policies with the same precedence, the policy that is created first among the policies is applied for processing the incoming event.

Dynamic enrichment is an extension of advanced enrichment. However, a dynamic enrichment policy contains a predefined and fixed set of actions that are run on an incoming event. Also, dynamic enrichment allows you to import external data and perform enrichment based on complex If-Then scenarios. 

An event is enriched with the best matching entity details from BMC Discovery based on the lookup event slots. This information associates nodes and their associated services to the event. For more information about lookup slots, see Slot-facets. The best match is determined by the following process:

Best matching algorithm.png

The following table provides a list of enrichment goals, followed by the enrichment method that you can use to achieve that goal, and the overall benefit.

Enrichment goals

Enrichment method

Reference

Enrich particular attributes of an event (Enum slot types only); for example, the event severity, priority, category, message, and location.  

Basic enrichment

  • Enrich an event with external data.
  • Perform enrichment based on multiple If-Then scenarios in an external source file.

Dynamic enrichment

  • Enrich particular attributes of an event.
  • Enrich an event with static text.
  • Enrich an event based on the result of complex conditions or mathematical functions.
  • Enrich an event based on other slot values in the same event.
  • Enrich an event based on the node details.

Advanced enrichment

  • Schedule a time duration after which enrichment actions need to be taken.
  • Enrich particular event attributes.
  • Enrich an event with static text.
  • Enrich an event based on the result of complex conditions or mathematical functions (complex root actions and void function excluded).
  • Enrich an event based on other slot values in the same event.

Time-based enrichment

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*