Creating and enabling event policies

As an administrator, create and enable event policies to define the actions that the system takes after an event arrives. For events, you can create the following types of policies:

Related topic

Event-policy-types-and-evaluation-order

Managing event policies with REST APIs

To learn how to create some of these policies with examples, see the following topics:


To create an event policy

  1. Go to Configuration > Event Policies and click Create.
  2. Specify a unique name, optional description, and precedence number for the policy.

  3. Create the event selection criteria based on which the policy is applied to the events. 
    For more information about the event selection criteria, see Event-selection-criteria.

    Important

    • Values in the event selection criteria are case-sensitive. For example, Message Equals test and Message Equals TEST are considered as different values.
    • For event and blackout policies, we do not recommend using the less than (<), greater than (>), and the ampersand (&) characters in the selection criteria.

    • If you use special characters to specify slot values in the event selection criteria, make sure that you precede the special character with an escape character (\).

      For example, specify the value in the message slot as “Test\^Notification\^Policy" instead of “Test^Notification^Policy"

    • You can change the existing class in the event selection criteria to a new class without removing the existing policy configurations only if slots in the existing policy configurations are available in the new class.
  4. Select the time frame for which the policy should be active. You can create a new time frame or associate an existing time frame with an event policy. 
    The Always active option is the default option, which means that the policy is always active unless you select a time frame. See Setting-event-policy-schedules-by-using-time-frames.

  5. Select one or more of the following policy types and configure them:

    The [confluence_table-plus] macro is a standalone macro and it cannot be used inline.
    The configured policy types are displayed in the policy evaluation order irrespective of the order in which they were configured. To know more about the policy evaluation order, see Event-policy-types-and-evaluation-order.
    You can set up multiple configurations for certain policy types. Each configuration is displayed as a policy card as shown in the following image. Reorder the policy cards by dragging and dropping them to change the configuration execution order within a specific policy type. 
    Adv_enrichment_without_info_icon3.png

    Slots configured in the event policy settings

    • Some of the event policies allow you to define slots while configuring the policy settings. The list of these slots is restricted to the event class selected in the event selection criteria. If no class is selected in the event selection criteria, the base EVENT class slots are displayed for selection.  
    • If you specify multiple classes in the event selection criteria, refer to the following points:
      • The event slots present in all the classes in the event selection criteria are displayed for selection in the following sections:
        • Enrich and If action of an enrichment policy
          Enrich action: Event slots are displayed in Slot to enrich and on the Event Slot tab in the action value.
        • Slot placeholder fields of an enrichment, correlation, and notification policy
      • The event slots that are common to the multiple classes are suffixed with the name of the event class in the enrichment, correlation, and notification policy.
      • An event slot is not suffixed with the name of the event class if the slot is not present in all the classes that you specify in the event selection criteria.
  6. Use the icons to edit or delete the configured policy types.
  7. (Optional) Select Enable Policy.
    You can enable or disable the policy any time from the Event Policies page.
  8. Save the policy.


To search for an event policy

  1. Go to Configuration > Event Policies.
  2. In the Search field Policy search box.png, type the policy name to search for the policy.
    The search results are returned immediately.
    The Search field is not case-sensitive and returns results regardless of the character case that you use in the search query.


To export an event policy

  1. Go to Configuration > Event Policies.
  2. Perform one of the following actions:
    • Select a policy and click ExportExport_policy_icon.png .
    • From the  Actions menu of a policy, select Export .
      The Export policy JSON file page is displayed.

  3. Select an option to change the policy name.

    If you have customized the display name of custom classes and event slots of custom classes by using APIs on the tenant where you export the policy and the tenant where you import the policy, the internal name of event slots and classes is available in the exported policy. When you import a policy, the display name of custom event slots is available.The following options are available.

    • Yes, append the default suffix: '_Imported_<CurrentTimeStamp>' to the policy name
    • No, keep the current policy name
    • Yes, append a custom suffix to the policy name
      For this option, enter a value for the suffix to be added to the policy name.
  4. Click Export.

 For more information, see Migrating-event-policies-between-tenants .


To import an event policy

  1. Go to Configuration > Event Policies.
  2. Click Import Import icon.png.
  3. The Import policy JSON file page is displayed.
  4. Click Attach file and select a JSON file from your local directory.
  5. Click Import.  


To edit an event policy

  1. Go to Configuration > Event Policies.
  2. Perform one of the following actions:
    • Select a policy and click Edit.
    • From the  Actions menu action_menu.pngof a policy, select  Edit.
  3. Edit the policy and save the changes.


Important

While editing the Predefined Policy for Incident notification policy, ensure that you do not change the name of the policy.

The Predefined Policy for Incident notification policy is required if BMC Helix Operations Management is integrated with Proactive Service Resolution (PSR). For more information, see Integrating with BMC Helix ITSM.


To copy an event policy

  1. Go to Configuration > Event Policies.
  2. Click the Actions menu action_menu.pngof a policy and select  Copy.
    You can copy all event policies including dynamic enrichment policies.
    The Create Event Policy page is displayed with the configurations of the copied policy. 
  3. Modify the configurations according to your requirements to create a new policy quickly. 


To view the list of event policies

On the Configuration > Event Policies page, view the list of event policies.

By default, the policies are sorted by Name. To sort on a different column, click the column heading.

A maximum of 1000 policies are displayed on the Event Policies page.


To enable or disable an event policy

On the Configuration > Event Policies page, do one of the following actions:

  • Select the policy and click Enable or Disable.
  • From the  Actions  menu of a policy, select Enable or Disable.
  • Edit the policy and select or clear the Enable Policy checkbox.


To delete an event policy

On the Configuration > Event Policies page, do one of the following actions:

  • Select one or more policies, click Delete, and click Yes.
  • From the  Actions  menu of a policy, select Delete, and click Yes.


To audit user actions on an event policy

As a tenant administrator, use the BMC Helix Audit Dashboard in BMC Helix Dashboards to view the audit trail of activities that users perform on event policies. You can audit the following activities on an event policy:

  • Create an event policy
  • Update an event policy
  • Delete an event policy
  • Enable an event policy
  • Disable an event policy
Scenario

Apex Global uses BMC Helix Operations Management as their infrastructure monitoring tool. Event policies in BMC Helix Operations Management help manage customer events. The customer support team at Apex Global performs root cause analysis of critical customer escalations based on the events generated through event policies. For every customer escalation, they need to invest time and effort to investigate the changes made to event policies. They want to reduce this effort, so they approach Sarah, a system admin at Apex Global. 
Sarah views the audit trail of all activities performed by users on event policies by using the BMC Helix Audit Dashboard in BMC Helix Dashboards and communicates this information to the support team. Viewing the audit trail helps Sarah to track the history of changes made to the policies and achieve improved user accountability, compliance with organization policies, and system security.

For more information, see Auditing configuration changes in BMC Helix Dashboards.

The following image displays the audit trail of event policies in the BMC Helix Audit Dashboard. Note that the selected resource type is Event Policy. Click the link in the Operation column to view the values before and after you perform an activity on an event policy.

Audit trail for event policies label.png


To view the execution order of event policies

  1. Select Configuration > Event Policies and click Policy Execution Order Policy precedence view.png.
  2. Select one of the following options:
    For new events is selected by default.
    1. For new events
       This option displays the policy execution order for new or incoming events. For new events, you can view the policy execution order for the following phases:
      • Refinement
      • Basic Enrichment
      • Suppression
      • Time Based
      • Advanced Enrichment
      • Correlation
      • Notification
    2. For old events
       This option displays the policy execution order for old or existing events. For old events, you can view the policy execution order for the following phases:
      • Advanced Enrichment
        Only for advanced enrichment policies that have the Trigger-If action configured.
      • Notification
        • Notification (Email): Only if the status or severity slots are selected or both slots are selected in the policy.
        • Notification (Incident)

  3. In Event Policy Execution Order Preview, click the policy phase expander to view the execution order for an event policy and click the policy name expander to view the execution order of policy configurations in an event policy.

    Scenario

    Policy execution order rule

    Across policies

    Sorted and grouped by the event policy phases.

    Within a phase

    Sorted by the precedence. If the precedence is the same, then sorted by the event creation time in descending order. 

    Within a policy

    Sorted by the order of the policy configurations.

  4. (Optional) In the Search box, type a policy name to filter the policy preview.

The policy execution order is displayed only for policies that you have enabled. In the preview, event policies are sorted by the policy type first and then by the precedence.

Policy execution order for new events.png

Policy execution order for old events.png

Refer to the following example to understand the policy execution order for the list of policies:

Click here to expand...

Policy name

Configurations

Precedence

Policy execution order

Policy 1

Basic enrichment 1

999

  1. Policy 3.Basic enrichment 1
  2. Policy 4.Basic enrichment 1
  3. Policy 1.Basic enrichment 1
  4. Policy 2.Basic enrichment 1
  5. Policy 2.Basic enrichment 2
  6. Policy 3.Advanced enrichment 1
  7. Policy 2.Advanced enrichment 1
  8. Policy 4.Notification 1

Policy 2

  • Basic enrichment 1
  • Basic enrichment 2
  • Advanced enrichment 1

999

Policy 3

  • Basic enrichment 1
  • Advanced enrichment 1

100

Policy 4

  • Basic enrichment 1
  • Notification 1

101

If you create a policy by using APIs, make sure that you update the Event Policies page to view the updated policy execution order.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*