This documentation supports an earlier version of BMC Helix Operations Management.To view the documentation for the latest version, select 23.3 from the Product version picker.

Event enrichment for adding context

After unwanted events are filtered out, a smaller set of relevant events are displayed on BMC Helix Operations Management. You can further enrich these events with meaningful information. You can provide more accurate information about the problem to the operators, which helps them address issues efficiently.

As an administrator, enrich your ingested events with additional context to make them more meaningful.

Event enrichment provides the following advantages:

  • Provides additional information or more accurate information about the problem. In some cases, all the raw events might not include all the necessary information to enable an operator to investigate and resolve a problem while monitoring events. This context can help operators address issues faster and more efficiently. 
  • Normalizes events coming from different sources and in different formats. For example, one event stream might display location as part of the domain name and another event stream might display location as part of the message. By formatting all the events consistently, operators perform more effective processing of events (in terms of event enrichment, event suppression, and so on)
  • Helps other administrators correlate events based on a more refined criteria resulting in situations that are easier to analyze and solve. It also helps fine-tune the out-of-the-box event clusters resulting in more meaningful event patterns. 

The following sections orient you with the event enrichment process, the various enrichment scenarios, and enrichment methods. 


Event enrichment process

Use a basic enrichment policy to update specific event attributes and enrich events. You can also perform the following types of advanced processing:

  • Advanced enrichment
  • Time-based enrichment
  • Dynamic enrichment

You can also enrich the host name of an event by configuring a refinement policy.

The following image illustrates the high-level process involved in advanced processing of events. 

event enrichment.png

  1. A huge volume of raw events are ingested from various event sources. The circles represent events flowing from various IT assets. 
    The incomplete circles represent events with inadequate information. 
  2. Raw events are classified and formatted. Similar events are deduplicated by the product based on a certain criteria. Additionally, events are suppressed if a suppression policy is configured.
  3. An incoming event arrives. The event selection criteria defined in the event policy acts as an initial filter that determines the events that will be processed.
  4. The event passes through a complex set of actions (policy workflow) that enrich and update the event data with additional context. 
    The workflow can enrich the event with static text, with external data, based on the result of complex conditions or mathematical functions, and based on other slot values in the same event.
    The solid circles represent the enriched events that are ready to be ingested.
  5. The enriched event is displayed on the Events page under Monitoring.


Event enrichment methods

As an administrator, you can configure the following types of event policies for different types of enrichment:

  • Refinement
  • Basic enrichment
  • Dynamic enrichment
  • Advanced enrichment
  • Time-based enrichment

Refinement

A refinement policy is similar to an advanced enrichment policy. You can perform conditional or dynamic data enrichment on event slots. Use a refinement policy to enrich the following slots:

  • The source host name of an event
  • The CDM class of an event
    Use the cdmclass event slot to store various node kinds that are present in BMC Discovery. You can choose to associate an event with a specific node kind instead of all possible nodes.

To enrich the source host name

  1. In the BMC Helix Operations Management console, select Configuration > Event Policies.
  2. Click Create.
  3. Enter the policy name and the event selection criteria.
  4. Select the policy type as Refinement.
  5. Click the Enrich action.
  6. In the Enrichment settings,
    1. Enter a label for the enrich action.
    2. Select the slot as Host.
    3. Specify the value of the host.
  7. Click Save and enter a policy summary.
  8. Enable the policy and click Save.

To enrich the CDM class

  1. In the BMC Helix Operations Management console, select Configuration > Event Policies.
  2. Click Create.
  3. Enter the policy name and the event selection criteria.
  4. Select the policy type as Refinement.
  5. Click the Enrich action.
  6. In the Enrichment settings,
    1. Enter a label for the enrich action.
    2. Select the slot as CDM Class.

    3. Enter the slot value to match the node kind that is present in BMC Discovery. 

      Click to see the supported node kinds
      • AdminCollection
      • BusinessApplicationInstance
      • BusinessService
      • CandidateSoftwareInstance
      • CloudManagementGroup
      • CloudProvider
      • CloudRegion
      • CloudResource
      • CloudService
      • Cluster
      • ClusterMember
      • ClusterResource
      • ClusterService
      • CouplingFacility
      • Database
      • DatabaseDetail
      • Deployment
      • DiskDrive
      • FibreChannelHBA
      • FibreChannelNode
      • FibreChannelPort
      • File
      • FileSystem
      • FunctionalComponent
      • HardwareComponent
      • HardwareContainer
      • HardwareDetail
      • Host
      • HostContainer
      • IPAddress
      • LoadBalancerGroup
      • LoadBalancerInstance
      • LoadBalancerMember
      • LoadBalancerPool
      • LoadBalancerService
      • MFPart
      • Mainframe
      • ManagementController
      • Namespace
      • NetworkDevice
      • NetworkInterface
      • Package
      • Patch
      • Printer
      • ProcessorInfo
      • RuntimeEnvironment
      • SNMPManagedDevice
      • SoftwareCluster
      • SoftwareComponent
      • SoftwareContainer
      • SoftwareInstance
      • SoftwarePod
      • Storage
      • StorageCollection
      • StorageConnection
      • StorageDevice
      • StorageNamespace
      • StoragePool
      • StorageProcessor
      • StorageSystem
      • StorageSystemGroup
      • StorageVolume
      • StorageVolumeMirror
      • Subnet
      • TapeDrive
      • TechnicalService
      • VirtualMachine

      The node kind value in the enrichment settings is not case sensitive.
      To learn more about the node kind, refer to the GET /taxonomy/nodekinds?format=info endpoint on the Endpoints+in+the+REST+API page.

  7. Click Save and enter a policy summary.
  8. Enable the policy and click Save.


Example scenario

Sarah is an administrator at Apex Global. A database monitoring solution is running on a host (ServerA). The incoming event from ServerA reports a database problem on another host (ServerB). However, based on her experience as an administrator, she wants to enrich the value of the host in the event with ServerB on which the actual database problem is reported.

To achieve this goal, Sarah can now use the Event Policies page in the BMC Helix Operations Management console to create a refinement policy.

Basic enrichment

A basic enrichment policy is the simplest type of enrichment. Use this policy to perform simple, routine actions quickly. This policy type does not contain complex actions. You can use this policy to update particular event information coming from Enum slots (slots with a fixed set of values). 

Example scenario

Sarah is an administrator at Apex Global. Her company wants to process basic event attributes with refined slot values to make events more meaningful.

To achieve this goal, Sarah can now use the Event Policies page in the BMC Helix Operations Management console to create a basic enrichment policy.

Advanced enrichment

You can use an advanced enrichment policy in the following scenarios:

  • Performing complex event manipulation on a small subset of events.
  • Building configurations for a combination of isolated use cases.

You can also use an advanced enrichment policy to enrich other event slots in addition to those that are configurable with basic enrichment. You can set up advanced actions for processing events.

You can use these actions to perform advanced event processing that includes the following:

  • Using mathematical functions to arrive at the event slot value
  • Adding a Lookup action to process existing events
  • Adding advanced conditions for event processing or event triggering

Advanced enrichment provides you a superset of tools that you can combine to build a policy workflowAdvanced enrichment policies process only incoming events and not existing events. However, advanced enrichment policies that have the Trigger-If action process existing events.

You can also look up node details, such as node IP address, source, location, and so on, from BMC Discovery by using the LookupNodeDetails function. Use these details to enrich event slots. 

For more information about the LookupNodeDetails function, see Functions-for-advanced-and-time-based-enrichment.

Enrich events with node details workflow.png

Important

  • If you use an advanced enrichment policy to enrich event slots that are modified by a deduplication policy, the enriched value for the slots in an existing event is updated with the slot values of the duplicate event when a deduplication policy is applied to events.
    To learn more about the slots that are modified by a deduplication policy, see Out-of-the-box-event-policies-and-templates.
  • By default, if only the repeat_count slot is updated in an event by using an advanced enrichment policy, the event updates are not published to the corresponding incident in BMC Helix IT Service Management.
    For any other slot updates in an event through an advanced enrichment policy, the event updates are published to the corresponding incident in BMC Helix IT Service Management.
    To publish event updates to the corresponding incident in BMC Helix IT Service Management only on specific slot updates in an event, contact BMC Support.
  • If events of out-of-the-box classes are closed by using an advanced enrichment policy, make sure to use a suppression policy to suppress redundant closed events of the out-of-the-box classes. To learn more about the out-of-the-box classes, see Event-classification-and-formatting.

  • If you configure an advanced enrichment policy to look up duplicate events of out-of-the-box classes, the enrichment policy might not run when out-of-the-box deduplication policies run to perform the following actions (in the order shown) before the enrichment policy:

    1. Detect a duplicate incoming event.
    2. Update the existing event with details of the incoming event.
    3. Drop the incoming event.

    For more information about out-of-the-box deduplication policies, see Out-of-the-box-event-policies-and-templates.

Example scenario

Sarah is an administrator at Apex Global. Her company wants to automatically assign open events related to database connection issues that arrive from a specific location to specific people. Additionally, her company wants to change the status of such events and raise the severity based on the event location.

To achieve this goal, Sarah can now use the Event Policies page in the BMC Helix Operations Management console to create an advanced enrichment policy.

Time-based enrichment

You can use a time-based enrichment policy to combine various actions to build a policy workflow. With this policy, events are enriched after the specified duration.

Important

  • If an incoming event matches the event selection criteria of multiple time-based policies with different precedence, the policy with the lowest precedence value is applied for processing the incoming event.
  • If an incoming event matches the event selection criteria of multiple time-based policies with the same precedence, the policy that is created first is applied for processing the incoming event.

Example scenario

Sarah is an administrator at Apex Global. Her company wants to automatically raise the severity and change the owner of all the unassigned Major events after 6 hours have lapsed.

To achieve this goal, Sarah can now use the Event Policies page in the BMC Helix Operations Management console to create a time-based enrichment policy.


Dynamic enrichment

A dynamic enrichment policy is an extension of the advanced enrichment policy and contains a predefined and fixed set of actions that are run on incoming events. With this policy, you can import and use external data to enrich events based on complex If-Then scenarios.

An event is enriched with the best matching entity details from BMC Discovery based on the lookup event slots. This information associates nodes and their services to the event. For more information about lookup slots, see Slot-facets. The best match is determined by the following process:

Best matching algorithm.png

Example scenario

 Sarah is an administrator at Apex Global. Her company wants to assign all open events to the appropriate owners based on the event severity and location.

 To achieve this goal, Sarah can now use the Event Policies page in the BMC Helix Operations Management console to create a dynamic enrichment policy.

The following table provides a list of enrichment goals and the enrichment method that you can use to achieve them.

Enrichment goals

Enrichment method

Reference

Enrich the host of an event.

Refinement

Enrich particular attributes of an event (Enum slot types only); for example, the event severity, priority, category, message, and location.  

Basic enrichment

  • Enrich an event with external data.
  • Perform enrichment based on multiple If-Then scenarios in an external source file.

Dynamic enrichment

  • Enrich specific attributes of an event.
  • Enrich an event with static text.
  • Enrich an event based on the result of complex conditions or mathematical functions.
  • Enrich an event based on other slot values in the same event.
  • Enrich an event based on the node details.

Advanced enrichment

  • Schedule a time duration after which enrichment actions need to be taken.
  • Enrich particular event attributes.
  • Enrich an event with static text.
  • Enrich an event based on the result of complex conditions or mathematical functions (complex root actions and void function excluded).
  • Enrich an event based on other slot values in the same event.

Time-based enrichment