Adding Event rules

An event rule associates imported events with a target entity or domain. The Rules page lists all the existing classification rules and lets you add, edit and delete them. You can access the Rules page by navigating to Administration > Event Manager > Event rules.

An event classification rule is composed of:

  • condition: Usually a regular expression over one or more event fields.
  • An action: The definition of a set of systems, business drivers, and domains with which the event must be associated if the condition is met.

An event rule analyzes all the events that have been imported into a temporary stage table (EVENT_STAGE) but not yet classified. For each event, it checks its attributes against a set of user-defined conditions; if the conditions are satisfied, the rule associates the event with the proper entity or domain and moves it to the proper database table (EVENT_DATA). If no rule applies to an event, it remains in an unassociated status.

Related topics

Viewing-the-status-of-events

Managing-events-and-associating-them-to-metrics 

The Rules page displays a list of existing event rules, and allows you to edit or delete them, and also add new ones.

Event Rules table
Event Rules table.png

To add a new event rule

To create an event classification rule:

  1. Click Add rule and set the following properties in the three sections of the form:
    1. Rule: Enter the following information:
      1. Rule name: The name of the rule.
      2. Rule description: A brief description of the alert rule.
    2. Condition on events: Enter the following information:
      1. Name: Condition over the imported event name; you can match it against a custom regular expression or check if it is equal to a given string.
      2. Description: Restricts the matched events based on their description.
      3. Note: Restricts the matched events based on their note.
      4. Classification: Only matches events belonging to the selected class.
      5. Source: Condition over the source of the event (that is what generated the event).
      6. Datasources: Only matches events that were imported from a specific ETL
    3. Action: Enter the following information:
      1. Association: Lets you select the target with which the matched events will be associated. You can associate an event with an entity or a domain; it is also possible to select a data source: the rule will read the event source field and then use the specified ETL lookup table in order to resolve the association target.
  2. Click Save. The detail page of the new event rule, listing the rule conditions and action, will be displayed.

After a new rule has been created, you can launch an on-demand execution of the Event Aggregator task by clicking Apply rules now. A message will inform you that the task is running; when its execution is terminated, depending on the effectiveness of the new rule, the number of new events may be the same or may have been decreased.

Event rule creation
Add event rule.png

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*