Adding event rules
By default, the health score for an impacted service is computed based on the events generated from all the CIs that are part of the service. However, as a service designer, you can define event rules to consider only specific events based on the impacted CIs, event severities, messages, objects, and object classes.
For example, you can define a rule to compute the service health score to include only events with Critical and Major severities, which will exclude any other type of severities, such as Minor or Warning. Currently, you can add a maximum of two rules for a service.
If you have added both health indicators and event rules for a service, events that are generated due to a threshold breach of these metrics and that match the criteria defined in the event rules are considered for computing the health score. For more information, see Service health score and health timeline.
To add an event rule
- Click Services and then click Create Service.
- Provide a service definition for a service.
For more information, see Defining-a-service. - Click Events and then click the service (for example, Billing & Payment) for which you want to add the event rule.
- In the Define Event Service processing pane, click Add Event Rule.
- Enter a rule name.
To be able to select events for health score computation, click Add Filter and select an attribute, operator, and value from the following available options:
Attribute
Operator
Value
Host
Equals
Enter a hostname (case-sensitive) for which you want to create this rule.
Matches
Enter a hostname in a regex expression format.
The events that match this hostname are displayed.
Note: Only asterisk *, period ., and | wildcard characters are supported.
Examples:
hostname.abc: Hostname contains hostname.abc
hostname.abc.*: Hostname starts with hostname.abc
.*hostname.abc: Hostname ends with hostname.abc
hostname.*com: Hostname starts with the term hostname and ends with com
server1|server2|server3: Hostname contains server1 or server2 or server3
prod|production: Hostname contains prod or production
Not matches
Enter a hostname in a regex expression format.
The events that don't match this hostname are displayed.
Note: Only asterisk *, period ., and | wildcard characters are supported.
Examples:
hostname.abc: The events that have hostname.abc are excluded from the events list.
hostname.abc.*: The events that have hostnames starting with hostname.abc are excluded from the events list.
.*hostname.abc: The events that have hostnames ending with hostname.abc are excluded from the events list.
hostname.*com: Events with hostnames starting with the term hostname and ending with com are excluded from the events list.
test|dev|stage: Events from hosts containing test, dev, or stage are excluded from the events list.
Message
Equals
Enter an event message (case-sensitive).
Matches
Specify a value in a regex expression format.
The events that match this message are displayed.
Note: Only asterisk *, period ., and pipe | wildcard characters are supported.
Examples:
alarm: Message contains alarm
alarm.*: Message starts with alarm
.*alarm: Message ends with the term alarm
alarm.*memory: Message starts with the term alarm and ends with memory
error|warning|critical: Message contains error OR warning OR critical
Not matches
Specify a value in a regex expression format.
The events that don't match this message are displayed.
Note: Only asterisk *, period ., and pipe | wildcard characters are supported.
Examples:
alarm: Message does not contain alarm
alarm.*: Message does not start with alarm
.*alarm: Message does not end with the term alarm
alarm.*memory: Message does not start with the term alarm and end with memory
info|debug|trace: Message does not contain info or debug or trace
Severity
Select a severity level.
Object
Equals
Specify the full name of the object.
Matches
Specify a value in the regex expression format.
The events that match the object name are displayed.
Note: Only asterisk *, period ., and pipe | wildcard characters are supported.
Examples:
confluence: Object contains the string confluence
server-01.*: Object name starts with server-01
database|db|postgres|mysql: Object contains database or db or postgres or mysql
Not matches
Specify a value in the regex expression format.
The events that don't match the object name are displayed.
Note: Only asterisk *, period ., and pipe | wildcard characters are supported.
Examples:
confluence: Object does not contain the string confluence
server-01.*: Object name does not start with server-01
test|temp|tmp: Object does not contain test or temp or tmp
Object class
Equals
Specify the full name of the object class.
Matches
Specify a value in the regex expression format.
The events that match the object class are displayed.
Note: Only asterisk *, period ., and pipe | wildcard characters are supported.
Examples:
NUK_Memory: Object contains NUK_Memory
NUK.*: Object name starts with NUK
CPU|Memory|Disk: Object class contains CPU or Memory or Disk
Not matches
Specify a value in the regex expression format.
The events that don't match the object class are displayed.
Note: Only asterisk *, period ., and pipe | wildcard characters are supported.
Examples:
NUK_Memory: Object does not contain NUK_Memory
NUK.*: Object name does not start with NUK
- Click Add.
- (Optional) To add more filters, click Add Filter.
You can add each attribute only once in a rule. For example, after you add Severity as a filter, you can only add Host and Message attributes in the rule.
In the following example, rules are specified to consider all critical events on all hosts that start with host-aus.
- Click Save and Close.
- To add another rule, click Add Event Rule.
You can only add up to two rules for a service. - Click Save and Close.
The count of event rules is shown as part of the Billing & Payment service.
To edit an event rule
- Click Services and then click a service name for which you want to edit event rules.
- From the action menu
, select Edit Service. - On the Edit Service page, click Events and select a service.
- In the Define Event Service processing pane, click the Action menu for an event rule, and select Edit.
Edit the rule as required.
- Click Save and Close.
To delete an event rule
If you delete event rules, all events impacting a service are considered for computing the health score.
- Click Services and then click a service name for which you want to delete the rule.
- From the action menu
, select Edit Service. - On the Edit Service page, click Events and then click a service that has rules.
The Define Event Service processing pane shows the rules defined for the service. - From the Action menu for the rule, click Delete.
- Click Save and Close.
Regex wildcard characters reference
The following wildcard characters are supported in event rule regex expressions:
| Wildcard character | Description | Example |
|---|---|---|
| * (Asterisk) | Matches zero or more of any character. | hostname.* matches hostnames starting with hostname |
| . (Period/Dot) | Matches exactly one of any character. | server.. matches server followed by any two characters |
| | (Pipe) | Logical OR - matches one of multiple alternative patterns. | error|warning|critical matches any of these three terms Example 1: Multiple environment matching Pattern: prod.*|production.*|prd.* Matches events from hosts like prod.server1, production.app, or prd.database Pattern: auth.*|payment.*|checkout.* Matches events from authentication, payment, and checkout services Pattern: critical|major|p1|sev1|urgent Matches events with any of these severity indicators Pattern: mysql.*|postgres.*|oracle.*|mongodb.*|redis.* Matches events from any of these database technologies Pattern: (prod.*|stage.*).*(error|critical|failure) Matches error, critical, or failure events from production or staging hosts |
Where to go from here
Based on what you want to configure for your services, perform the following optional tasks: