Event Orchestration workflows
This topic describes the TrueSight Orchestration workflows for the Event Orchestration run book.
The predefined workflows in the run book ensure that the underlying logic for any new event types added to the run book remains the same.
Event Orchestration process workflows
The Process Event workflow is triggered when an event data is received by TrueSight Orchestration.
The workflow contains sub-processes, which perform an end-to-end process to triage and remediate the incoming event. Output data for each sub-process is considered as input for the subsequent process.
The following table describes the stage, the workflow triggered at each stage, the modules required and information about how the Process Event workflow performs the end-to-end Event Orchestration process:
Stage | Workflow name | Module that contains the workflow | Description | Required for new event types |
|---|---|---|---|---|
Triage | Extract Event and Configuration Data | BMC-SA-Event Orchestration | Extracts configuration information based on the event type. | Yes |
Pre-Triage Actions | BMC-SA-Event Orchestration | Can contain any pre-triage actions based on your requirement. Currently, no specific pre-triage action is identified. | Optional | |
Perform Triage | BMC-SA-Event_Orchestration_Service_Down | After extracting event data, the Perform Triage workflow is invoked, which verifies the validity of the event on the target server. For each supported event type, the Perform Triage workflow is included in the module for the event type. For example, for a service down event, the Perform Triage workflow is a part of the BMC-SA-Event_Orchestration_Service_Down module. | Yes | |
Post-Triage Actions | AutoPilot-OA-Event_Orchestration | If triage is successful and remediation is required, as part of the Post-Triage Actions, the Create Incident workflow in the AutoPilot-OA-Event_Orchestration module creates or updates an existing incident in the ITSM system. The ITSM System is defined in the BMC-SA-Event_Orchestration_Configuration module. The Create Incident workflow invokes AutoPilot-OA-ITSM_Automation's Create or Update Incident workflow. AutoPilot-OA-ITSM_Automation hides the details of target ITSM implementation. By statically defining ITSM Type module configuration item during initial configuration of the solution, during runtime, logic in AutoPilot-OA-ITSM_Automation will switch to using appropriate implementation. | Yes | |
Remediation | Pre-Remediation Actions | AutoPilot-OA-ITSM_Automation | If a change ticket needs to be created, the AutoPilot-OA-Event_Orchestration:Create Change workflow is invoked. This internally invokes the AutoPilot-OA-ITSM_Automation's Do Create Change workflow to create a change and task for the incident. AutoPilot-OA-ITSM_Automation hides the details of target ITSM implementation. | Optional |
Perform Remediation | BMC-SA-Event_Orchestration_Service_Down | If remediation is required and there were no errors in the previous stages of the execution, remediation is started in two ways:
For each supported event type, the Perform Remediation workflow is included in the module for the event type. For example, for a service down event, the Perform Remediation workflow is a part of the BMC-SA-Event_Orchestration_Service_Down module. | Yes | |
Validation | Post-Remediation Actions | BMC-SA-Event_Orchestration_Service_Down | Invokes the Perform Validation workflow, which validates whether the event is successfully remediated. For example, for the Service Down event type, the workflow validates whether the service is started on the target server. After the validation process is completed, ITSM tickets (change, task and incident) are updated with appropriate status (success/failure). For each supported event type, the Perform Validation workflow is included in the module for the event type. For example, for a service down event, the Perform Validation workflow is a part of the BMC-SA-Event_Orchestration_Service_Down module. | Yes |
Process Event workflow
The Process Event workflow receives event data and action ID performs triage and remediation, which invokes the following process:
- Extract configuration related to the event
- Pre-Triage Actions
- Perform Triage
- Post-Triage Actions
- Pre-Remediation Actions
- Perform Remediation
- Post-Remediation Actions
The following table describes the input and output elements for the Process Event workflow.
Input element | Description |
|---|---|
event data | Contains the event data in JSON format. action id Action ID as defined by a use case, like BMC_TrueSight-ServiceDown-1. The following figure shows a sample event. { "adapter_host" : "" , "administrator" : "" , "date" : "20190312150809.000000+330" , "date_reception" : "1552383489" , "duration" : "0" , "event_handle" : "1399" , "event_identification_type" : "Default" , "itsm_category" : "" , "itsm_company" : "" , "itsm_incident_id" : "" , "itsm_incident_status" : "" , "itsm_item" : "" , "itsm_location" : "" , "itsm_manufacturer" : "" , "itsm_model_version" : "" , "itsm_operational_category1" : "" , "itsm_operational_category2" : "" , "itsm_operational_category3" : "" , "itsm_product_name" : "" , "itsm_type" : "" , "mc_abstracted" : "[]" , "mc_abstraction" : "[]" , "mc_account" : "" , "mc_acl" : "[]" , "mc_action_count" : "0" , "mc_arrival_time" : "1552383507" , "mc_associations" : "[]" , "mc_bad_slot_names" : "[]" , "mc_bad_slot_values" : "[]" , "mc_cause" : "0" , "mc_client_address" : "10.133.71.162" , "mc_collectors" : "[1.1,2.1.1,3.1.1,4.1,5.1,13.1.1]" , "mc_date_modification" : "1552383507" , "mc_effects" : "[]" , "mc_event_category" : "" , "mc_event_model_version" : "1.1.00" , "mc_event_relations" : "[]" , "mc_event_subcategory" : "SYSTEM" , "mc_history" : "[]" , "mc_host" : "hostname.bmc.com" , "mc_host_address" : "10.133.65.237" , "mc_host_class" : "" , "mc_host_id" : "8" , "mc_incident_report_time" : "0" , "mc_incident_time" : "1552383429" , "mc_local_reception_time" : "1552383507" , "mc_location" : "bmc.com" , "mc_long_msg" : "" , "mc_modhist" : "[pncell_hostname]" , "mc_notes" : "[]" , "mc_notification_history" : "[]" , "mc_object" : "NUK_Memory@hostname.bmc.com" , "mc_object_class" : "NUK_Memory" , "mc_object_owner" : "" , "mc_object_uri" : "" , "mc_operations" : "[]" , "mc_origin" : "" , "mc_origin_class" : "" , "mc_origin_key" : "" , "mc_origin_sev" : "" , "mc_original_priority" : "PRIORITY_5" , "mc_original_severity" : "CRITICAL" , "mc_owner" : "" , "mc_parameter" : "Memory Used By User Processes and Kernel (Excludes Buffers-Cache)" , "mc_parameter_threshold" : "15.0" , "mc_parameter_unit" : "%" , "mc_parameter_value" : "22.38" , "mc_priority" : "PRIORITY_5" , "mc_propagations" : "[pn_server_hostname:42,ts_event_gateway:57]" , "mc_relation_source" : "" , "mc_relationships" : "0/0" , "mc_service" : "" , "mc_smc_alias" : "hostname_8" , "mc_smc_causes" : "[]" , "mc_smc_effects" : "[]" , "mc_smc_id" : "hostname_8" , "mc_smc_impact" : "IMPACTING" , "mc_smc_priority" : "0" , "mc_smc_type" : "BMC_ComputerSystem" , "mc_timeout" : "0" , "mc_tool" : "hostname" , "mc_tool_address" : "IPAddress" , "mc_tool_class" : "PNET" , "mc_tool_id" : "" , "mc_tool_key" : "5" , "mc_tool_rule" : "" , "mc_tool_sev" : "" , "mc_tool_suggestion" : "" , "mc_tool_time" : "1552383489" , "mc_tool_uri" : "" , "mc_ueid" : "hostname-alr-5" , "mc_using_organization" : "" , "mc_using_organization_id" : "" , "msg" : "Memory Memory Used By User Processes and Kernel (Excludes Buffers-Cache) > 15% for 1 min." , "pn_alarm_exec_notify" : "FALSE" , "pn_alarm_id" : "5" , "pn_baseline_type" : "ALL" , "pn_detail_diag" : "0" , "pn_detail_diag_count" : "0" , "pn_device_name" : "hostname.bmc.com" , "pn_end_time" : "-1" , "pn_extremeness" : "0" , "pn_group_ids" : "[]" , "pn_groups" : "[]" , "pn_highest_severity" : "CRITICAL" , "pn_invoke_alarm_rule" : "TRUE" , "pn_is_predicted" : "FALSE" , "pn_is_suppressing" : "FALSE" , "pn_last_time" : "1552383489" , "pn_object_class_id" : "501042" , "pn_object_id" : "236" , "pn_old_severity" : "OK" , "pn_parameter_id" : "501042505" , "pn_predict_to_occur_time" : "0" , "pn_predicted_severity" : "" , "pn_suppress_mode" : "NORMAL" , "pn_suppress_notified" : "TRUE" , "pn_suppress_primary_alarm_id" : "" , "pn_suppress_rule_id" : "0" , "pn_suppress_type" : "NONE" , "pn_thresh_above" : "TRUE" , "pn_thresh_duration" : "60" , "pn_thresh_id" : "10007" , "pn_thresh_type" : "161" , "pn_vm_host" : "" , "pn_vm_host_id" : "0" , "repeat_count" : "0" , "severity" : "CRITICAL" , "status" : "OPEN" , "server_id": "1" } |
Extract Event and Configuration Data workflow
Extracts event and configuration data based on the action ID.
The following table describes the input and output elements for the Extract Event and Configuration Data workflow.
Input element | Description |
|---|---|
event data | Contains the event data for an incoming event in a CEM format. |
Output element | Description |
event source type | Specifies the source of the event from where the event is generated. |
itsm type | Specifies the ITSM type where incident, change, and tasks are to be created. |
event type | Specifies the event type. For example, service down. |
all configurations | Contains all configuration data required to determine if triage is required and the type of triage to be performed. |
event data | Contains the input event data |
Perform Triage workflow
The Extract Event and Configuration Data sends the event related data, which is used by the Perform Triage workflow to verify the event on the target server.
The following table describes the input and output elements for the Perform Triage workflow.
Input element | Description | Required |
|---|---|---|
event source type | Specifies the source of the event. For example, BMC_TrueSight. | Yes |
itsm type | Specifies the type of the ITSM system. For example, BMC_AR_System. | Yes |
event type | Specifies the name of the event type. For example, ServiceDown. | Yes |
all configurations | Specifies module configuration data | Yes |
event data | Specifies the input event data | Yes |
authentication token | TrueSight Orchestration authentication token | No |
target connection data | Contains connection information to connect to the target server | Yes |
pre triage response data | Output data from pre-triage actions. If empty, then supply, <pretriage-response-data /> | Yes |
flags | Collection of status and decision flags. Example: <flags> <status>success</status> </flags> | Yes |
Output element | Description | |
triage response | Contains the response for the triage action | - |
flags | Contains the flat | - |
Post-Triage Actions workflow
Analyzes results of triage action. Optionally creates or updates incident.
The following table describes the input and output elements for the Post-Triage workflow.
Input element | Description | Required |
|---|---|---|
source type | Specifies the source of the event. For example, BMC_TrueSight. | Yes |
itsm type | Specifies the type of the ITSM system. For example, BMC_AR_System. | Yes |
event type | Specifies the name of the event type. For example, ServiceDown. | Yes |
all configurations | Specifies module configuration data | Yes |
event data | Specifies the input event data | Yes |
authentication token | TrueSight Orchestration authentication token | No |
target connection data | Contains connection information to connect to the target server | Yes |
pre triage response data | Output data from pre-triage actions. If empty, then supply, <pretriage-response-data /> | Yes |
flags | Collection of status and decision flags. Example: <flags> <status>success</status> </flags> | Yes |
Output element | Description | |
post triage response | Returns the incident ID that is created as part of the Post-Triage Actions workflow. <post-triage-response-data> <incident-id>INC000000000309</incident-id> </post-triage-response-data> | -- |
flags | Collection of previous flags and incident related information. <flags> <status>success</status> <remediation-required>true</remediation-required> <continue-processing>true</continue-processing> <incident-created>true</incident-created> <incident-updated>false</incident-updated> </flags> | -- |
event data | If incident is created, then, event data is updated with incident id | -- |
Pre-Remediation Actions workflow
Sets the stage for any remediation action, like create change ticket. If change ticket is created, remediation is skipped to await approval of change ticket.
The following table describes the input and output elements for the Pre-Remediation Actions workflow.
Input element | Description | Required |
|---|---|---|
event source type | Specifies the source of the event. For example, BMC_TrueSight. | Yes |
itsm type | Specifies the type of the ITSM system. For example, BMC_AR_System. | Yes |
event type | Specifies the name of the event type. For example, ServiceDown. | Yes |
all configurations | Specifies module configuration data | Yes |
event data | Specifies the input event data | Yes |
authentication token | TrueSight Orchestration authentication token | No |
target connection data | Contains connection information to connect to the target server | Yes |
post triage response data | Output data from post-triage action <post-triage-response-data> <incident-id>INC000000000217</incident-id> </post-triage-response-data> | Yes |
flags | Collection of status and decision flags. Example: <flags> <status>success</status> </flags> | Yes |
itsm data | Contains the incident ID created as part of the Post-Triage Actions workflow. <itsm-data> <itsm-incident-id>INC000000000469</itsm-incident-id> </itsm-data> | Yes |
Output element | Description | |
pre remediation response data | Returns the response for the workflow | |
flags | Collection of status and decision flags. |
Perform Remediation workflow
The Perform Remediation workflow invokes use case specific Perform Remediation workflow. Sets the stage for any remediation action, like create change ticket. If change ticket is created, remediation is skipped to await approval of change ticket.
The following table describes the input and output elements for the Perform Remediation workflow.
Input element | Description | Required |
|---|---|---|
event source type | Specifies the source of the event. For example, BMC_TrueSight. | Yes |
itsm type | Specifies the type of the ITSM system. For example, BMC_AR_System. | Yes |
event type | Specifies the name of the event type. For example, ServiceDown. | Yes |
all configurations | Specifies module configuration data | Yes |
event data | Specifies the input event data | Yes |
authentication token | TrueSight Orchestration authentication token | No |
target connection data | Contains connection information to connect to the target server | Yes |
pre-remediation response data | When empty: <itsm-data/> When contains incident ID: <itsm-data> <incident-id>INC000111</incident-id> </itsm-data> | Yes |
flags | Specifies the flags XML set by each process after execution for the subsequent process. <flags> <status>true</status> <remediation-required>true<remediation-required> <continue-processing>true<continue-processing> <flags> | Yes |
Output element | Description | |
remediation response data | Contains the response for the workflow. | - |
flags | Contains a collection of status and decision flags. | - |
Post-Remediation Actions
Post-Remediation Actions analyzes results of remediation action, invokes use case specific Perform Validation workflow. Closes change tickets and/or updates incident ticket.
The following table describes the input and output elements for the Post-Remediation Actions workflow.
Input element | Required | |
|---|---|---|
event source type | Specifies the source of the event. For example, BMC_TrueSight. | Yes |
itsm type | Specifies the type of the ITSM system. For example, BMC_AR_System. | Yes |
event type | Specifies the name of the event type. For example, ServiceDown. | Yes |
all configurations | Specifies module configuration data | Yes |
event data | Specifies the input event data | Yes |
authentication token | TrueSight Orchestration authentication token | No |
target connection data | Contains connection information to connect to the target server | Yes |
flags | Specifies the flags XML set by each process after execution for the subsequent process. | Yes |
change | Specifies the change XML created in Post-Remediation Action | Yes |
Output element | Description | |
remediation response data | Contains the response for the workflow. | - |
flags | Contains a collection of status and decision flags. | - |