×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')

   

This documentation supports an earlier version of BMC Helix Operations Management.

To view the documentation for the latest version, select 23.2 from the Product version picker.
BMC Helix Operations Management 22.3 ... Monitoring events and reducing event noise Defining event policies for enrichment, correlation, notification, and suppression

Out-of-the-box event policies and templates

BMC Helix Operations Management executes the following incident and deduplication out-of-the-box policies internally for event processing: 

  • Predefined Enrichment Policy for Incident
  • Predefined Notification Policy for Incident
  • AlarmEventProcessing
  • AlarmEventCloseProcessing
  • AnomalyEventDuplicateProcessing
  • AnomalyEventCloseProcessing
  • SelfMonitoringEventDuplicateProcessing
  • SelfMonitoringEventCloseProcessing
  • IncidentinfoToOrgIncIdUpdateProcessing
  • incidentinfoEventDuplicateProcessing
  • LogAlertDuplicateProcessing
  • DynatraceEventsDuplicateProcessing
  • SituationEventDuplicateProcessing
  • PatrolEventsDuplicateProcessing
  • PatrolEventsCloseProcessing


Related topic

Integrating with BMC Helix ITSM


The incident policies are executed when BMC Helix Operations Management is integrated with BMC Helix Integration Service. The deduplication policies deduplicate events to filter out unwanted and unnecessary events. For certain event policy types, you can use out-of-the-box policy templates that you can edit and customize.


Predefined Enrichment Policy for Incident

This policy is used for looking up CI information in BMC CMDB. It enriches the following slots based on the event class type. These slots fetch the CI ID, which is required for incident creation in BMC Helix IT Service Management .

  • Component Alias
  • CDM Class
  • Instance Name

  • Model Name

Important

This policy is invisible and you cannot edit it.


Predefined Notification Policy for Incident

This policy is applied in the following scenarios:

  • If the policy is not configured in  BMC Helix Operations Management , the policy is automatically created and enabled. This policy is configured with severity as CRITICAL.
  • If the policy is configured in the system, but is not enabled, the policy is automatically enabled.
  • If the policy is configured in the system and is enabled, the system uses this policy for PSR integration.

  • If multiple notification policies for the incident are configured and enabled, the system processes incidents only according to the Predefined Notification Policy for Incident.

Important

You can edit the Predefined Notification Policy for Incident and change the event selection criteria.

For more information about editing the notification policy, see Creating and enabling event policies.


Event deduplication policies

Based on the dedup slots for event classes, events are deduplicated by using the out-of-the-box internal deduplication policies listed in the following table. A deduplication policy performs a lookup on existing unclosed events, drops the new event, and updates the existing event with the information from the new event. Event notes are not enriched using these policies.

Important

  • These policies are invisible and you cannot edit them.
  • When deduplication policies run, the slot values of the existing event are updated with slot values of the duplicate event.

Dedup policy nameEvent classDedup slotDescriptionExisting event slots modified by the policy
AlarmEventProcessing    ALARMal_alarm_id

Deduplicates an event of the ALARM class when the severity changes for the same metric. This policy updates the existing event (event is looked up by using the al_alarm_id slot) with the slot values of the new event and increments the repeat count for the event.

  • al_algorithm_name 
  • al_baseline_hourly_high
  • al_baseline_hourly_low
  • al_baseline_type
  • al_end_time
  • al_extremeness
  • al_highest_severity
  • al_last_time
  • al_old_severity
  • al_parameter_name 
  • al_parameter_value
  • al_predict_to_occur_time
  • al_suppress_type
  • al_thresh_duration
  • al_thresh_id
  • al_thresh_type
  • msg
  • priority
  • severity
  • _repeat_count (Value incremented by 1)
  • metric_name
  • metric_value
AlarmEventCloseProcessingALARMal_alarm_id

Updates the status of the existing open event to Closed after a metric value returns to a normal state following a threshold breach and a Closed alarm event is received for the metric. The event is looked up by using the al_alarm_id slot.

  • al_parameter_value
  • status
  • al_old_severity
  • metric_value
  • _operations
AnomalyEventDuplicateProcessingANOMALYan_anomaly_id

Deduplicates an event of the ANOMALY class when the severity changes for the same metric. This policy updates the existing event (event is looked up by using the an_anomaly_id slot) with the slot values of the new event and increments the repeat count for the event.

  • an_parameter_value
  • an_sustain_duration
  • an_sensitivity
  • an_score
  • an_attribution_score
  • an_pts_exceeded
  • an_pts_total
  • an_parameter_threshold
  • an_additional_values
  • an_standard_deviation
  • an_minmax_score
  • an_old_severity
  • an_highest_severity
  • msg
  • priority
  • severity
  • _repeat_count (Value incremented by 1)
  • metric_value
AnomalyEventCloseProcessingANOMALYan_anomaly_id

Updates the status of the existing open event to Closed after a metric value returns to a normal state following a threshold breach and a Closed anomaly event is received for the metric. The event is looked up by using the an_anomaly_id slot.

  • status
  • an_old_severity
SelfMonitoringEventDuplicateProcessingHELIX_SM_EVHELIX_SM_EV:HELIX_COMPONENT:source_identifier

Deduplicates the disconnect self-monitoring event of the HELIX_SM_EV class when an event for the same PATROL Agent is received. This policy updates the existing open disconnect event (event is looked up by using the source_identifier slot) and increments the repeat count for the event.

  • _repeat_count (Value incremented by 1)
  • p_status
SelfMonitoringEventCloseProcessingHELIX_SM_EVHELIX_SM_EV:HELIX_COMPONENT:source_identifierDeduplicates the connect or disconnect self-monitoring event of the HELIX_SM_EV class when an event for the same PATROL Agent is received . This policy closes the existing open event (event is looked up by using the source_identifier slot) and keeps the latest connect or disconnect event open.

status = CLOSED

incidentinfoToOrgIncIdUpdateProcessingINCIDENT_INFOincident_relation_source

Enriches the incident ID in the existing event after receiving an INCIDENT_INFO event once an incident is created in BMC Helix IT Service Management . The existing event is looked up by using the incident_relation_source slot). This policy applies only if you have configured Proactive Service Resolution (PSR) integration.

  • incident_id
  • _node_id
  • _service_id
  • _node_service_mapping
  • _node_service_key_mapping
incidentinfoEventDuplicateProcessingINCIDENT_INFO_identifier

When an incident in BMC Helix IT Service Management  is updated, a corresponding new INCIDENT_INFO event with the same event ID is created in BMC Helix Operations Management . This policy deduplicates the new event by updating the existing event (event is looked up by using the _identifier slot) and increasing the repeat count for the event. This policy applies only if you have configured Proactive Service Resolution (PSR) integration.

  • _repeat_count (Value incremented by 1)
  • The incident_relation_source value of the duplicate event is updated in the event_ids value of the existing event.
  • msg
  • status
  • incident_id
  • details
  • ci_incident_type
  • component_id
  • manually_created_incident
  • policy_name
  • bOrphanedRoot
  • incident_relation_source
  • incident_assignee
  • incident_priority
  • incident_submitter
  • incident_company
  • incident_status
  • incident_assignee_group
  • Temp01
  • Temp02
  • Temp03
  • Temp04
  • Temp05
  • Temp06
  • Temp07
  • Temp08
  • Temp09
  • Temp10
LogAlertDuplicateProcessingLOGALERT_EVLOGALERT_EV:alert_id

Deduplicates an event of the LOGALERT_EV class when a new LOGALERT_EV event for the same alert is received. This policy updates the existing event (event is looked up by using the alert_id slot) with the slot values of the new event and increments the repeat count for the event. This policy applies only if you have configured the Helix Log analytics application.

  • alert_name
  • alert_starttime
  • alert_endtime
  • alert_query
  • msg
  • alert_launch_params
  • priority
  • severity
  • _repeat_count (Value incremented by 1)
DynatraceEventsDuplicateProcessingDynatraceEventDynatraceEvent:_identifier

Deduplicates an event of the DynatraceEvent class when a new DynatraceEvent event with the same event identifier is received. This policy updates the existing event (event is looked up by using the _identifier slot) with the slot values of the new event and increments the repeat count for the event. This policy applies only if you have configured the Dynatrace connector from the Helix Intelligent Integrations application.

  • _repeat_count (Value incremented by 1)
  • msg
  • status
  • priority
  • severity
  • affectedRequestsPerMinute
  • artifact
  • entityName
  • sourceEventId
  • sourceTags
  • eventType
  • impactLevel
  • percentile
  • referenceResponseTime50thPercentile
  • referenceResponseTime90thPercentile
  • service
  • severityLevel
  • source
  • annotationType
  • annotationDescription
  • correlationId
  • serviceMethodGroup
  • serviceMethod
  • syntheticErrorType
  • affectedSyntheticActions
  • affectedSyntheticLocations
SituationEventDuplicateProcessingSituation_identifier

Deduplicates an event of the Situation class when a new event with the same event identifier is received. This policy updates the existing event (event is looked up by using the _identifier slot) with the slot values of the new event and increments the related event count. This policy is applicable only if you have enabled the AiOps situations feature in the Helix Service Monitoring application.

  • msg
  • source_hostname
  • severity
  • priority
  • child_situations
  • parent_situation
  • _relationships.evcount
PatrolEventsDuplicateProcessingPATROL_EV
  • source_address
  • p_node
  • p_agent_port
  • p_application
  • p_instance
  • p_parameter

Deduplicates an event of the PATROL_EV class when a severity change event for the same metric is received from the PATROL Agent. This policy updates the existing event (event is looked up by using the dedup slots listed for the event class) with the slot values of the new event and increments the repeat count for the event.

  • msg
  • severity
  • p_type
  • p_source_id
  • p_parameter_value
  • p_origin_key
  • p_class
  • p_args
  • p_status
  • _repeat_count (Value incremented by 1)
PatrolEventsCloseProcessingPATROL_EV
  • source_address
  • p_node
  • p_agent_port
  • p_application
  • p_instance
  • p_parameter

Updates the status of an existing PATROL event from Open to Closed after an incoming PATROL event with the severity OK is received. The event is looked up by using the dedup slots listed for the event class. The policy drops the new incoming event with the severity OK.

If the value of dedup slots in the existing event match the value of dedup slots in the incoming event, then the final event status is as follows:

Existing eventStatusSeverityFinal status of the event
E1OpenAny severityClosed
Incoming eventStatusSeverityFinal status of the event
E2OpenOKDropped or not ingested in the system
status


Out-of-the-box policy templates

Out-of-the-box policy templates with predefined event selection criteria are available that help you to process events and set up routine event-management actions. 

You can edit and customize an out-of-the-box policy template as per your requirement. However, if you choose a different class name, the predefined advanced enrichment configurations are reset. 

By default, the policy templates are disabled. Enable the policies after you edit them as per your requirement.

The following table describes the out-of-the-box policy templates and their predefined criteria:

Out-of-the-box templatesDescription
Template for Basic and Advanced Enrichment
  • Event selection criteria:
    • Class name: PATROL Event
    • Host: server1
  • Basic enrichment: This policy is applied to all open events with priority Highest and event category Problem Management
  • Advanced enrichment condition 1: Extracts the hostname and checks if it is a short hostname based on the dot position. The policy replaces the instance name with the short hostname. 
    For example, if the hostname is abc.bmc.com, the instance name will be set to abc.
  • Advanced enrichment condition 2: Based on the location, assign open events to specific people, and update the severity and status. For example, if the location is New York, assign the event to Mike, update the event status to Assigned and event severity to Major. If the location is Chicago, assign the event to Shiela, update the event status to Assigned and event severity to Critical.
Template for Closing Events and Dropping Duplicate Events
  • Event selection criteria:
    • Instance name: instance1
    • Message: ServerA
  • Advanced enrichment condition: When the event priority changes, close the event; Delete a new event if it is a duplicate of an existing event.
Template for Timeout Policy And Notification
  • Event selection criteria:
    • Class name: Event
    • Hostname: Server3
  • Advanced enrichment condition: If an event is open and unassigned for longer than 6 hours, update the event severity and assign it to a specific person, and send a notification to the specified email address. For example, if the event is open and unassigned for longer than 6 hours, update the event severity to Critical, assign the event to Admin, and send a notification email to abc@xyz.com.
Template for Event Suppression
  • Event selection criteria:
    • Class name: PATROL Event
    • Message: patrolevent
    • Hostname: server2
  • Basic enrichment: Drop new events matching the event selection criteria.


Was this page helpful? Yes No Submitting... Thank you
Last modified by Shreya Gurukiran on Jul 31, 2023
out-of-the-box deduplication policies policy dedup slot template internal

Comments

Log in or register to comment.

Event policy types and evaluation order
Event enrichment for adding context
© Copyright 2020-2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.