Example: Enrich the source host name by parsing the event message
The following video (4:56) helps you understand how you can create a refinement policy.
To enrich the source host name, perform the following steps:
Actions used in the example
- Enrich
- Variable
For more information about actions, see Actions for advanced and time-based enrichment.
To define the event selection criteria
- Select Configuration > Event Policies and click Create.
- In Event Selection Criteria, define a condition to select events that come from the host ServerA and that contain the message ORA listener not running on ServerB.
The following image illustrates how the event selection criteria will look:
To learn how to construct the event selection criteria, see Creating and enabling event policies.
To build the policy workflow
On the Refinement page, perform the following steps:
Failed to execute the [excerpt-include] macro.
- Add the Variable action to parse the event message. Use the Split function to split the message and store the function output in the $locVar list variable.
- Add the Variable action to compute the length of the event message. Use the ListLength function to compute the length of the message list $locVar and store the function output in the $locIndex variable.
- Add the Variable action to retrieve the host name from the event message. Use the ListGetElement function to retrieve the host name at the $locIndex position from the $locVar list.
- Add an Enrich action to enrich the host.
Results
The resulting policy workflow enriches the source host name by parsing the event message as shown in the following image:
Before event enrichment
After event enrichment
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*