Event Orchestration workflows

This topic describes the TrueSight Orchestration workflows for the Event Orchestration run book. 

The predefined workflows in the run book ensure that the underlying logic for any new event types added to the run book remains the same. 

Event Orchestration process workflows

The Process Event workflow is triggered when an event data is received by TrueSight Orchestration. 

The workflow contains sub-processes, which perform an end-to-end process to triage and remediate the incoming event. Output data for each sub-process is considered as input for the subsequent process. 

ProcessEventwf.png

The following table describes the stage, the workflow triggered at each stage, the modules required and information about how the Process Event workflow performs the end-to-end Event Orchestration process:

Stage

Workflow name

Module that contains the workflow

Description

Required for new event types

Triage

Extract Event and Configuration Data

BMC-SA-Event Orchestration

Extracts configuration information based on the event type.

Yes

Pre-Triage Actions

BMC-SA-Event Orchestration

Can contain any pre-triage actions based on your requirement.

Currently, no specific pre-triage action is identified.

Optional

Perform Triage

BMC-SA-Event_Orchestration_Service_Down

After extracting event data, the Perform Triage workflow is invoked, which verifies the validity of the event on the target server. 

For each supported event type, the Perform Triage workflow is included in the module for the event type.

For example, for a service down event, the Perform Triage workflow is a part of the BMC-SA-Event_Orchestration_Service_Down module. 

Yes

Post-Triage Actions

AutoPilot-OA-Event_Orchestration

If triage is successful and remediation is required, as part of the Post-Triage Actions, the Create Incident workflow in the AutoPilot-OA-Event_Orchestration module creates or updates an existing incident in the ITSM system.

The ITSM System is defined in the BMC-SA-Event_Orchestration_Configuration module.

The Create Incident workflow invokes AutoPilot-OA-ITSM_Automation's Create or Update Incident workflow. AutoPilot-OA-ITSM_Automation hides the details of target ITSM implementation. By statically defining ITSM Type module configuration item during initial configuration of the solution, during runtime, logic in AutoPilot-OA-ITSM_Automation will switch to using appropriate implementation.

Yes

Remediation

Pre-Remediation Actions

AutoPilot-OA-ITSM_Automation

If a change ticket needs to be created, the AutoPilot-OA-Event_Orchestration:Create Change workflow is invoked.

This internally invokes the AutoPilot-OA-ITSM_Automation's Do Create Change workflow to create a change and task for the incident.

AutoPilot-OA-ITSM_Automation hides the details of target ITSM implementation.

Optional

Perform Remediation

BMC-SA-Event_Orchestration_Service_Down

If remediation is required and there were no errors in the previous stages of the execution, remediation is started in two ways:

    1. If no change ticket is created, remediation is started immediately
    2. If change ticket is created, remediation process awaits approval of the change ticket based on the approval process configuration as defined in the ITSM system.

For each supported event type, the Perform Remediation workflow is included in the module for the event type.

For example, for a service down event, the Perform Remediation workflow is a part of the BMC-SA-Event_Orchestration_Service_Down module. 

Yes

Validation

Post-Remediation Actions

BMC-SA-Event_Orchestration_Service_Down

Invokes the Perform Validation workflow, which validates whether the event is successfully remediated. For example, for the Service Down event type, the workflow validates whether the service is started on the target server.

After the validation process is completed, ITSM tickets (change, task and incident) are updated with appropriate status (success/failure).

For each supported event type, the Perform Validation workflow is included in the module for the event type.

For example, for a service down event, the Perform Validation workflow is a part of the BMC-SA-Event_Orchestration_Service_Down module. 

Yes

Generic

Update Event Notes

BMC-SA-Event Orchestration

The Update Event Notes workflow is used in all the workflows to update the event notes in the event management tool with the current status.

For example, for the service down event,

Yes

Process Event workflow

The Process Event workflow accepts an event from a rule and performs triage and remediation, which involes the following process:

  • Extract configuration related to the event
  • Perform Triage
  • Perform Remediation

The following table describes the input and output elements for the Process Event workflow. 

Input element

Description

inputevent

Contains the event data in a common event model (CEM) format.

The following figure shows a sample event.

Sample event
<event>
 <metaData>
   <eventClass>PATROL_EV</eventClass>
   <eventId>clm-aus-009801@10.17.78.30:3181.1524126824.63966</eventId>
   <reportTimeEpoch>0</reportTimeEpoch>
   <eventToCIAssociationType>IMPACTING</eventToCIAssociationType>
   <propagationHistory>[bao1:18875]</propagationHistory>
 </metaData>
 <sourceData>
   <componentHost>clm-aus-009801.bmc.com</componentHost>
   <componentHostAddress>10.17.78.30</componentHostAddress>
   <location>bmc.com</location>
   <componentCaption>SERVICES_TBS</componentCaption>
   <componentType>NT_SERVICES</componentType>
 </sourceData>
 <situationData>
   <situationCategory>AVAILABILITY_MANAGEMENT</situationCategory>
   <situationSubCategory>APPLICATION</situationSubCategory>
   <situationTime>1524126907</situationTime>
   <severity>CRITICAL</severity>
   <situationTimeEpoch>0</situationTimeEpoch>
   <service>TBS</service>
   <messageSummary>ServiceStatus for NT_SERVICES/SERVICES_TBS is in ALARM current value is 3.000000</messageSummary>
 </situationData>
 <reporterData>
   <componentCaption>clm-aus-009801:3181</componentCaption>
   <componentType>PATROL Agent</componentType>
   <eventTime>1524126907</eventTime>
 </reporterData>
 <extendedData>
   <nameValueList>
     <nameValue>
       <name>cell-name</name>
       <value>bao1</value>
     </nameValue>
     <nameValue>
       <name>date</name>
       <value>20180419140507.000000+330</value>
     </nameValue>
     <nameValue>
       <name>p-origin</name>
       <value>NT_SERVICES.SERVICES_TBS.ServiceStatus</value>
     </nameValue>
     <nameValue>
       <name>mc-origin-sev</name>
       <value>4</value>
     </nameValue>
     <nameValue>
       <name>event-identification-type</name>
       <value>Internal</value>
     </nameValue>
     <nameValue>
       <name>p-owner</name>
       <value>Patrol</value>
     </nameValue>
     <nameValue>
       <name>p-class</name>
       <value>11</value>
     </nameValue>
     <nameValue>
       <name>mc-modhist</name>
       <value>[bao1]</value>
     </nameValue>
     <nameValue>
       <name>p-expectancy</name>
       <value>STORED</value>
     </nameValue>
     <nameValue>
       <name>p-instance</name>
       <value>SERVICES_TBS</value>
     </nameValue>
     <nameValue>
       <name>mc-origin-key</name>
       <value>63966</value>
     </nameValue>
     <nameValue>
       <name>p-source-id</name>
       <value>63966</value>
     </nameValue>
     <nameValue>
       <name>date-reception</name>
       <value>1524126907</value>
     </nameValue>
     <nameValue>
       <name>p-agent</name>
       <value>clm-aus-009801.bmc.com</value>
     </nameValue>
     <nameValue>
       <name>p-handler</name>
       <value>Patrol</value>
     </nameValue>
     <nameValue>
       <name>p-agent-port</name>
       <value>3181</value>
     </nameValue>
     <nameValue>
       <name>p-agent-version</name>
       <value>V11.0.00i</value>
     </nameValue>
     <nameValue>
       <name>p-type</name>
       <value>ALARM</value>
     </nameValue>
     <nameValue>
       <name>mc-local-reception-time</name>
       <value>1524126967</value>
     </nameValue>
     <nameValue>
       <name>mc-origin-class</name>
       <value>PATROL Agent</value>
     </nameValue>
     <nameValue>
       <name>p-args</name>
       <value>[Alarm #2, global, ServiceStatus, NT_SERVICES.SERVICES_TBS, 3, 3.00, 3]</value>
     </nameValue>
     <nameValue>
       <name>p-catalog</name>
       <value>0</value>
     </nameValue>
     <nameValue>
       <name>itsm-company</name>
       <value>Calbro Services</value>
     </nameValue>
     <nameValue>
       <name>mc-arrival-time</name>
       <value>1524126967</value>
     </nameValue>
     <nameValue>
       <name>p-status</name>
       <value>OPEN</value>
     </nameValue>
     <nameValue>
       <name>p-application</name>
       <value>NT_SERVICES</value>
     </nameValue>
     <nameValue>
       <name>mc-origin</name>
       <value>clm-aus-009801:3181</value>
     </nameValue>
     <nameValue>
       <name>itsm-incident-status</name>
       <value>Assigned</value>
     </nameValue>
     <nameValue>
       <name>mc-date-modification</name>
       <value>1524126967</value>
     </nameValue>
     <nameValue>
       <name>mc-host-class</name>
       <value>NT6.0 Service Pack 2</value>
     </nameValue>
     <nameValue>
       <name>p-agent-address</name>
       <value>10.17.78.30</value>
     </nameValue>
     <nameValue>
       <name>itsm-incident-id</name>
       <value>INC000000000128</value>
     </nameValue>
     <nameValue>
       <name>p-node</name>
       <value</value>
     </nameValue>
   </nameValueList>
 </extendedData>
 <metricsData>
   <metricName>ServiceStatus</metricName>
   <metricValue>3.000000</metricValue>
 </metricsData>
</event>

Extract Event and Configuration Data workflow

Extracts event and configuration data based on the event type. Based on the extracted data, the TrueSight Orchestration determines whether to perform the triage and remediation process.

The following table describes the input and output elements for the Extract Event and Configuration Data workflow. 

Input element

Description

event data

Contains the event data for an incoming event in a CEM format.

Output element

Description

event source type

Specifies the source of the event from where the event is generated.

itsm type

Specifies the ITSM type where incident, change, and tasks are to be created.

event type

Specifies the event type. For example, service down.

all configurations

Contains all configuration data required to determine if triage is required and the type of triage to be performed.

event data

Contains the input event data

Perform Triage workflow

The Extract Event and Configuration Data sends the event related data, which is used by the Perform Triage workflow to verify the event on the target server. 

The following table describes the input and output elements for the Perform Triage workflow. 

Input element

Description

Required

event source type

Specifies the source of the event.

For example, BMC_TrueSight.

Yes

itsm type

Specifies the type of the ITSM system.

For example, BMC_AR_System.

Yes

event type

Specifies the name of the event type.

For example, ServiceDown.

Yes

all configurations

Specifies module configuration data

Yes

event data

Specifies the input event data

Yes

authentication token

TrueSight Orchestration authentication token

No

target connection data

Contains connection information to connect to the target server

Yes

pre triage response data

Output data from pre-triage actions.

If empty, then supply, <pretriage-response-data />

Yes

flags

Collection of status and decision flags.

Example:

<flags>
<status>success</status>
</flags>

Yes

Output element

Description


triage response

Contains the reponse for the triage action

-

flags

Contains the flat

-

Post-Triage Actions workflow

A framework workflow to support any post-triage actions such as creating incident or change tickets, updating event notes, and so on.

The following table describes the input and output elements for the Post-Triage workflow. 

Input element

Description

Required

source type

Specifies the source of the event.

For example, BMC_TrueSight.

Yes

itsm type

Specifies the type of the ITSM system.

For example, BMC_AR_System.

Yes

event type

Specifies the name of the event type.

For example, ServiceDown.

Yes

all configurations

Specifies module configuration data

Yes

event data

Specifies the input event data

Yes

authentication token

TrueSight Orchestration authentication token

No

target connection data

Contains connection information to connect to the target server

Yes

pre triage response data

Output data from pre-triage actions.

If empty, then supply, <pretriage-response-data />

Yes

flags

Collection of status and decision flags.

Example:

<flags>
<status>success</status>
</flags>

Yes

Output element

Description


post triage response

Returns the incident ID that is created as part of the Post-Triage Actions workflow.

<post-triage-response-data>
 <incident-id>INC000000000309</incident-id>
</post-triage-response-data>

--

flags

Collection of previous flags and incident related information.

<flags>
 <status>success</status>
 <remediation-required>true</remediation-required>
 <continue-processing>true</continue-processing>
 <incident-created>true</incident-created>
 <incident-updated>false</incident-updated>
</flags>

--

event data

If incident is created, then, event data is updated with incident id

--

Pre-Remediation Actions workflow

A framework workflow to support any pre-remediation actions such as updating incident or change tickets, updating event notes, and so on. 

The following table describes the input and output elements for the Pre-Remediation Actions workflow. 

Input element

Description

Required

event source type

Specifies the source of the event.

For example, BMC_TrueSight.

Yes

itsm type

Specifies the type of the ITSM system.

For example, BMC_AR_System.

Yes

event type

Specifies the name of the event type.

For example, ServiceDown.

Yes

all configurations

Specifies module configuration data

Yes

event data

Specifies the input event data

Yes

authentication token

TrueSight Orchestration authentication token

No

target connection data

Contains connection information to connect to the target server

Yes

post triage response data

Output data from post-triage action

<post-triage-response-data>
 <incident-id>INC000000000217</incident-id>
</post-triage-response-data>

Yes

flags

Collection of status and decision flags.

Example:

<flags>
 <status>success</status>
</flags>

Yes

itsm data

Contains the incident ID created as part of the Post-Triage Actions workflow.

<itsm-data>
 <itsm-incident-id>INC000000000469</itsm-incident-id>
</itsm-data> 

Yes

Output element

Description


pre remediation response data

Returns the response for the workflow


flags

Collection of status and decision flags.


Perform Remediation workflow

The Perform Remediation workflow performs remediation actions on the target server. 

The following table describes the input and output elements for the Perform Remediation workflow. 

Input element

Description

Required

event source type

Specifies the source of the event.

For example, BMC_TrueSight.

Yes

itsm type

Specifies the type of the ITSM system.

For example, BMC_AR_System.

Yes

event type

Specifies the name of the event type.

For example, ServiceDown.

Yes

all configurations

Specifies module configuration data

Yes

event data

Specifies the input event data

Yes

authentication token

TrueSight Orchestration authentication token

No

target connection data

Contains connection information to connect to the target server

Yes

pre-remediation response data

When empty:
<itsm-data/>

When contains incident ID:
<itsm-data>
  <incident-id>INC000111</incident-id>
</itsm-data>

Yes

flags

Specifies the flags XML set by each process after execution for the subsequent process.

<flags>
<status>true</status>
<remediation-required>true<remediation-required>
<continue-processing>true<continue-processing>
<flags>

Yes

Output element

Description


remdiation response data

Contains the response for the workflow.

-

flags

Contains a collection of status and decision flags.

-

Post-Remediation Actions

The following table describes the input and output elements for the Post-Remediation Actions workflow. 

Input element


Required

event source type

Specifies the source of the event.

For example, BMC_TrueSight.

Yes

itsm type

Specifies the type of the ITSM system.

For example, BMC_AR_System.

Yes

event type

Specifies the name of the event type.

For example, ServiceDown.

Yes

all configurations

Specifies module configuration data

Yes

event data

Specifies the input event data

Yes

authentication token

TrueSight Orchestration authentication token

No

target connection data

Contains connection information to connect to the target server

Yes

flags

Specifies the flags XML set by each process after execution for the subsequent process.

Yes

change

Specifies the change XML created in Post-Remediation Action

Yes

Output element

Description


remdiation response data

Contains the response for the workflow.

-

flags

Contains a collection of status and decision flags.

-

Update Event Notes workflow

The Update Event Notes workflow updates the status after each sub-process is executed as part of the Process Event workflow. In this release, the Update Event Notes workflow updates the Logs and Notes section for an event in the TrueSight Presentation Server or TrueSight Infrastructure Management server. After each stage, the notes are updated to reflect the latest status of the event. 

The following table describes the input and output elements for the Update Event Notes workflow. 

Input element

Description

Required

event souce type

Specifies the source of the event.

For example, BMC_TrueSight

Yes

all configurations

Specifies the module configuration

Yes

event data

Specifies the event data that can be used determine target information.

Yes

event notes

Specofoes the notes that are recorded in the event record.

Yes

mode

Specifies whether to execute this workflow in a synchronus or asynchronus mode.

If sync, the process waits for response from the event source. If async, the process does not wait for response from event source.

No

Output element

Description


status

Specifies the status of the workflow

-

error message

Contains error message if the workflow fails.

-


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*