Example: Enrich events with node details

To enrich the event kernel and OS details, perform the following steps:

1. Define the event selection criteria.
2. Build the policy workflow.

Actions used in the example

• Function
• Enrich

For more information about actions, see Actions for advanced and time-based enrichment.

To define the event selection criteria

1. Select Configuration > Event Policies and click Create.
2. In the Event Selection Criteria, define a condition to select events from the NODE-DETAILS-EV class that contains the message "EnrichEventWithCI".

The following image illustrates how the event selection criteria will look:

To learn how to construct the event selection criteria, see Creating and enabling event policies.

To build the policy workflow

On the Advanced Enrichment page, perform the following steps to build the policy workflow:

TipYou can hover over an action to view the complete label for the action as shown:

1. Add the Function action to look up the node details and then use the LookupNodeDetails function to specify the node attributes that you want to retrieve. 
   
   Assume that the fetched device attributes have the following values:

   Click here to expand...

   {
          "kernel": "2.6.32.59-0.19.1.14514.1.PTF-default",
          "model": "VMware Virtual Platform",
          "os": "SUSE Linux Enterprise Server 11 (x86_64) VERSION = 11 PATCHLEVEL = 1"
   }
2. Add the Enrich action to enrich the OS details in the event with the node details.
   The node details retrieved can be used as variables for processing events.
   
   
   
3. Add the Enrich action to enrich the kernel details in the event with the node details.
   
   
   
4. Add the Enrich action to enrich the detailed message with the node details.
   

Results

The policy workflow enriches the kernel, OS details, and the detailed message in the event as shown in the following images: