Default language.

Out-of-the-box event policies and templates

BMC Helix Operations Managementexecutes the following out-of-the-box policies for event processing:

  • AlarmEventCloseProcessing
  • AlarmEventProcessing
  • AnomalyEventCloseProcessing
  • AnomalyEventDuplicateProcessing
  • Close Old Catchpoint Events - BMC Helix Intelligent Integrations
  • Drop Duplicate Events - BMC Helix Intelligent Integrations
  • DynatraceEventsDuplicateProcessing
  • incidentinfoEventDuplicateProcessing
  • incidentinfoStatusUpdateProcessing
  • IncidentinfoToOrgIncIdUpdateProcessing
  • LogAlertDuplicateProcessing
  • PatrolEventsCloseProcessing
  • PatrolEventsDuplicateProcessing
  • Predefined Enrichment Policy for Incident
  • Predefined Notification Policy for Incident
  • PredictionEventClose
  • SelfMonitoringEventCloseProcessing
  • SelfMonitoringEventDuplicateProcessing
  • SituationEventDuplicateProcessing
  • Update AWS CloudWatch Events - BMC Helix Intelligent Integrations
  • Update Azure Events - BMC Helix Intelligent Integrations
  • Update IBM Netcool Events - BMC Helix Intelligent Integrations
  • Update Old Events - BMC Helix Intelligent Integrations

Related topic

Integrating-with-BMC-Helix-ITSM-by-using-the-Integration-Service

The incident policies are executed when BMC Helix Operations Management is integrated with BMC Helix Integration Service. The deduplication policies deduplicate events to filter out unwanted and unnecessary events. For certain event policy types, you can use out-of-the-box policy templates that you can edit and customize.

Predefined Enrichment Policy for Incident

This policy is used for looking up CI information in BMC CMDB. It enriches the following slots based on the event class type. These slots fetch the CI ID, which is required for incident creation in BMC Helix IT Service Management.

  • Component Alias
  • CDM Class
  • Instance Name
  • Model Name

Important

This policy is invisible and you cannot edit it.

Predefined Notification Policy for Incident

This policy is applied in the following scenarios:

  • If the policy is not configured in BMC Helix Operations Management, the policy is automatically created and enabled. This policy is configured with severity as CRITICAL.
  • If the policy is configured in the system, but is not enabled, the policy is automatically enabled.
  • If the policy is configured in the system and is enabled, the system uses this policy for PSR integration.
  • If multiple notification policies for the incident are configured and enabled, the system processes incidents only according to the Predefined Notification Policy for Incident.

Important

You can edit the Predefined Notification Policy for Incident and change the event selection criteria.

For more information about editing the notification policy, see Creating-and-enabling-event-policies.

Event deduplication policies

Based on the dedup slots for event classes, events are deduplicated by using the out-of-the-box deduplication policies listed in the following table. A deduplication policy performs a lookup on existing unclosed events, drops the new event, and updates the existing event with the information from the new event.

Important

  • When deduplication policies run, the slot values of the existing event are updated with slot values of the duplicate event.
  • Event notes are enriched using  only the BMC Helix Intelligent Integrations policies. 
  • For out-of-the-box deduplication policies, if the _repeat_count of an existing event exceeds the default event processing limit of 1000, the following points apply:
    • The incoming event is discarded.
    • No event processing is allowed except for event closure on the existing event.

Policy name

Event class

Dedup slot

Description

Existing event slots modified by the policy

AlarmEventProcessing    

ALARM

al_alarm_id

Deduplicates an event of the ALARM class when the severity changes for the same metric. This policy updates the existing event (event is looked up by using the al_alarm_id slot) with the slot values of the new event and increments the repeat count for the event.

This policy is invisible and you cannot edit it.

  • al_algorithm_name
  • al_baseline_hourly_high
  • al_baseline_hourly_low
  • al_baseline_type
  • al_end_time
  • al_extremeness
  • al_highest_severity
  • al_last_time
  • al_old_severity
  • al_parameter_name
  • al_parameter_value
  • al_predict_to_occur_time
  • al_suppress_type
  • al_thresh_duration
  • al_thresh_id
  • al_thresh_type
  • msg
  • priority
  • severity
  • _repeat_count (Value incremented by 1)
  • metric_name
  • metric_value

AlarmEventCloseProcessing

ALARM

al_alarm_id

Updates the status of the existing open event to Closed after a metric value returns to a normal state following a threshold breach and a Closed alarm event is received for the metric. The logs for event closure are logged on the Logs & Notes tab of an event.

The event is looked up by using either the al_alarm_id slot, or the al_parameter_name and object_id slots together.

This policy is invisible and you cannot edit it.

  • al_parameter_value
  • status
  • al_old_severity
  • metric_value
  • _operations

 

AnomalyEventDuplicateProcessing

ANOMALY

an_anomaly_id

Deduplicates an event of the ANOMALY class when the severity changes for the same metric. This policy updates the existing event (event is looked up by using the an_anomaly_id slot) with the slot values of the new event and increments the repeat count for the event.

This policy is invisible and you cannot edit it.

  • an_parameter_value
  • an_sustain_duration
  • an_sensitivity
  • an_score
  • an_attribution_score
  • an_pts_exceeded
  • an_pts_total
  • an_parameter_threshold
  • an_additional_values
  • an_standard_deviation
  • an_minmax_score
  • an_old_severity
  • an_highest_severity
  • msg
  • priority
  • severity
  • _repeat_count (Value incremented by 1)
  • metric_value 

AnomalyEventCloseProcessing

ANOMALY

an_anomaly_id

Updates the status of the existing open event to Closed after a metric value returns to a normal state following a threshold breach and a Closed anomaly event is received for the metric.

The logs for event closure are logged on the Logs & Notes tab of an event.

The event is looked up by using the an_anomaly_id slot.

This policy is invisible and you cannot edit it.

  • status
  • an_old_severity

SelfMonitoringEventDuplicateProcessing

HELIX_SM_EV

HELIX_SM_EV:HELIX_COMPONENT:source_identifier

Deduplicates the disconnect self-monitoring event of the HELIX_SM_EV class when an event for the same PATROL Agent is received. This policy updates the existing open disconnect event (event is looked up by using the source_identifier slot) and increments the repeat count for the event.

This policy is invisible and you cannot edit it.

  • _repeat_count (Value incremented by 1)
  • p_status

SelfMonitoringEventCloseProcessing

HELIX_SM_EV

HELIX_SM_EV:HELIX_COMPONENT:source_identifier

Deduplicates the connect or disconnect self-monitoring event of the HELIX_SM_EV class when an event for the same PATROL Agent is received . This policy closes the existing open event (event is looked up by using the source_identifier slot) and keeps the latest connect or disconnect event open.

The logs for event closure are logged on the Logs & Notes tab of an event.

This policy is invisible and you cannot edit it.

status = CLOSED

incidentinfoToOrgIncIdUpdateProcessing

INCIDENT_INFO

incident_relation_source

Enriches the incident ID in the existing event after receiving an INCIDENT_INFO event once an incident is created in BMC Helix IT Service Management. The existing event is looked up by using the incident_relation_source slot). This policy applies only if you have configured Proactive Service Resolution (PSR) integration.

This policy is invisible and you cannot edit it.

  • incident_id
  • _node_id
  •  _service_id
  • _node_service_mapping
  • _node_service_key_mapping

incidentinfoEventDuplicateProcessing

INCIDENT_INFO

_identifier

When an incident in BMC Helix IT Service Management is updated, a corresponding new INCIDENT_INFO event with the same event ID is created in BMC Helix Operations Management. This policy deduplicates the new event by updating the existing event (event is looked up by using the _identifier slot) and increasing the repeat count for the event. This policy applies only if you have configured Proactive Service Resolution (PSR) integration.

This policy is invisible and you cannot edit it.

  • _repeat_count (Value incremented by 1)
  • The incident_relation_source value of the duplicate event is updated in the event_ids value of the existing event.
  • msg
  • status
  • incident_id
  • details
  • ci_incident_type
  • component_id
  • manually_created_incident
  • policy_name
  • bOrphanedRoot
  • incident_relation_source
  • incident_assignee
  • incident_priority
  • incident_submitter
  • incident_company
  • incident_status
  • incident_assignee_group
  • Temp01
  • Temp02
  • Temp03
  • Temp04
  • Temp05
  • Temp06
  • Temp07
  • Temp08
  • Temp09
  • Temp10

incidentinfoStatusUpdateProcessing

INCIDENT_INFO

incident_relation_source

This policy applies to the existing event after receiving an event update for the INCIDENT_INFO class on incident cancellation in BMC Helix IT Service Management.

The policy is applied only if the incoming event class is INCIDENT_INFO and the incident_status is Cancelled.

The existing event is looked up based on the value of the incident_relation_source slot in the INCIDENT_INFO event.

The logs for the policy execution are logged on the Logs & Notes tab of an event.

NA

LogAlertDuplicateProcessing

LOGALERT_EV

LOGALERT_EV:alert_id

Deduplicates an event of the LOGALERT_EV class when a new LOGALERT_EV event for the same alert is received. This policy updates the existing event (event is looked up by using the alert_id slot) with the slot values of the new event and increments the repeat count for the event. This policy applies only if you have configured the Helix Log analytics application.

This policy is invisible and you cannot edit it.

  • alert_name
  • alert_starttime
  • alert_endtime
  • alert_query
  • msg
  • alert_launch_params
  • priority
  • severity
  • _repeat_count (Value incremented by 1)

DynatraceEventsDuplicateProcessing

DynatraceEvent

DynatraceEvent:_identifier

Deduplicates an event of the DynatraceEvent class when a new DynatraceEvent event with the same event identifier is received. This policy updates the existing event (event is looked up by using the _identifier slot) with the slot values of the new event and increments the repeat count for the event. This policy applies only if you have configured the Dynatrace connector from the Helix Intelligent Integrations application.

This policy is invisible and you cannot edit it.

  • _repeat_count (Value incremented by 1)
  • msg
  • status
  • priority
  • severity
  • affectedRequestsPerMinute
  • artifact
  • entityName
  • sourceEventId
  • sourceTags
  • eventType
  • impactLevel
  • percentile
  • referenceResponseTime50thPercentile
  • referenceResponseTime90thPercentile
  • service
  • severityLevel
  • source
  • annotationType
  • annotationDescription
  • correlationId
  • serviceMethodGroup
  • serviceMethod
  • syntheticErrorType
  • affectedSyntheticActions
  • affectedSyntheticLocations 

SituationEventDuplicateProcessing

Situation

_identifier

Deduplicates an event of the Situation class when a new event with the same event identifier is received. This policy updates the existing event (event is looked up by using the _identifier slot) with the slot values of the new event and increments the related event count. This policy is applicable only if you have enabled the AiOps situations feature in the Helix Service Monitoring application.

This policy is invisible and you cannot edit it.

  • msg
  • source_hostname
  • severity
  • priority
  • child_situations
  • parent_situation
  • _relationships.evcount 

PatrolEventsDuplicateProcessing

PATROL_EV

  • source_address
  • p_node
  • p_agent_port
  • p_application
  • p_instance
  • p_parameter
  • p_catalog

Deduplicates an event of the PATROL_EV class when a severity change event for the same metric is received from the PATROL Agent. This policy updates the existing event (event is looked up by using the dedup slots listed for the event class) with the slot values of the new event and increments the repeat count for the event.

p_class indicates when a dedup event is generated.

If the value of p_class equals 11, it indicates a threshold breach. For example, when the event severity is CRITICAL or MAJOR.

If the value of p_class equals 9, it indicates that the threshold has returned to the normal state. For example, when the event severity is OK.

The system only support p_class=11 for deduplication. Any other value for this attribute is not considered for deduplication.

This policy is invisible and you cannot edit it.

  • msg
  • severity
  • p_type
  • p_source_id
  • p_parameter_value
  • p_origin_key
  • p_class
  • p_args
  • p_stats
  • _repeat_count (Value incremented by 1) 

PatrolEventsCloseProcessing

PATROL_EV

  • source_address
  • p_node
  • p_agent_port
  • p_application
  • p_instance
  • p_parameter
  • p_catalog

Updates the status of an existing PATROL event from Open to Closed after an incoming PATROL event with the severity OK is received.

The logs for event closure are logged on the Logs & Notes tab of an event.

The event is looked up by using the dedup slots listed for the event class. The policy drops the new incoming event with the severity OK.

Example

If the value of dedup slots in the existing event match the value of dedup slots in the incoming event, then the final event status is as follows:

Existing event

Status

Severity

Final status of the event

E1

Open

Any severity

Closed

Incoming event

Status

Severity

Final status of the event

E2

Open

OK

Dropped or not ingested in the system

This policy is invisible and you cannot edit it.

status

PredictionEventClose

Prediction

pr_prediction_id

Closes the existing prediction event after the threshold violation ends and the prediction service generates a closed prediction event.

The logs for event closure are logged on the Logs & Notes tab of an event.

status

Update Old Events - BMC Helix Intelligent Integrations

This policy is created when you use BMC Helix Intelligent Integrations for the first time to fetch events from any third-party source supported by BMC Helix Intelligent Integrations.

IIMonitor
  • status
  • source_identifier
  • msg

Deduplicates an event of the IIMonitorEvent class when a new event with the same event identifier and message is received. This policy updates the existing event (event is looked up by using the multiple slot values) with the severity of the new event and increments the repeat count for the event. It also updates the old event with the notes containing the event ID of the dropped event.

This policy is visible and disabled by default. You can enable and edit it as required.

  • severity
  • _repeat_count (Value incremented by 1)

Update AWS CloudWatch Events - BMC Helix Intelligent Integrations

This policy is created when you use BMC Helix Intelligent Integrations for the first time to fetch events from AWS CloudWatch.

AWSCloudWatchAlarm
  • alarmArn
  • source_identifier 
  • status
  • metric_name

Deduplicates an event of the AWSCloudWatchAlarm class when a new event for the same metric and entity is received. This policy updates the existing event (event is looked up by using the multiple slot values) with the slot values of the new event. It also updates the old event with the notes containing the event ID of the dropped event.

This policy is visible and enabled by default. You can edit it as required.

  • alarmHistorySummary
  • metric
  • severity
  • source_category
  • source_subCategory
  • state_value
  • status
  • metric_value 

Update Azure Events - BMC Helix Intelligent Integrations

This policy is created when you use BMC Helix Intelligent Integrations for the first time to fetch events from Azure.

 

AzureAlarm
  • alarmArn
  • source_identifier 
  • status
  • metric_name

Deduplicates an event of the AzureAlarm class when a new event for the same metric and entity is received. This policy updates the existing event (event is looked up by using the multiple slot values) with the slot values of the new event. It also updates the old event with the notes containing the event ID of the dropped event.

This policy is visible and enabled by default. You can edit it as required.

 

  • alarmHistorySummary
  • metric
  • severity
  • source_category
  • source_subCategory
  • state_value
  • status
  • metric_value 

Update IBM Netcool Events - BMC Helix Intelligent Integrations

This policy is created when you use BMC Helix Intelligent Integrations for the first time to fetch events from IBM Netcool.

 

NetcoolEvent
  • manager
  • source_identifier
  • sourceAlertGroup
  • sourceAlertKey
  • status

Deduplicates an event of the NetcoolEvent class when a new event for the same metric and entity is received. This policy updates the existing event (event is looked up by using the multiple slot values) with the slot values of the new event. It also updates the old event with the notes containing the event ID of the dropped event.

This policy is visible and enabled by default. You can edit it as required.

 

  • msg
  • severity
  • status

 

Event suppression policy

In a suppression policy, the event selection criteria determines which events are selected for suppression. The selected events are permanently dropped. Dropped events are not ingested and therefore not available on the Events page. Event notes are not enriched using this policy.

Policy name

Event class

Dedup slot

Description

Existing event slots modified by the policy

Drop Duplicate Events - BMC Helix Intelligent Integrations

This policy is created when you use BMC Helix Intelligent Integrations for the first time to configure an integration with any third-party source.

IIMonitor
  • source_identifier
  • source_unique_event_id
  • creation_time

Drops the new event if the old event is of the same type as the new event, based on the multiple slot values.

This policy is visible and enabled by default. You can edit it as required.

None

 

Event closure policy

In the closure policy, the event selection criteria determines which events are selected for closure. The selected events are permanently closed. Closed events remain in the system, and therefore available on the Events page. Event notes are enriched using this policy.

Closure policy name

Event class

Slot

Description

Existing event slots modified by the policy

Close Old Catchpoint Events - BMC Helix Intelligent Integrations

This policy is created when you use BMC Helix Intelligent Integrations for the first time to configure an integration with Catchpoint.

CatchpointAlert

  • source_identifier
  • source_eventId
  • status

Creates a new event and closes the old event if an incoming event contains the results of same test on the same node as an existing event. 

This policy is visible and enabled by default. You can edit it as required.

None

Out-of-the-box policy templates

Out-of-the-box policy templates with predefined event selection criteria are available that help you to process events and set up routine event-management actions. 

You can edit and customize an out-of-the-box policy template as per your requirement. However, if you choose a different class name, the predefined advanced enrichment configurations are reset. 

By default, the policy templates are disabled. Enable the policies after you edit them as per your requirement.

The following table describes the out-of-the-box policy templates and their predefined criteria:

Out-of-the-box templates

Description

Template for Basic and Advanced Enrichment

  • Event selection criteria:
    • Class name: PATROL Event
    • Host: server1
  • Basic enrichment: This policy is applied to all open events with priority Highest and event category Problem Management
  • Advanced enrichment condition 1: Extracts the hostname and checks if it is a short hostname based on the dot position. The policy replaces the instance name with the short hostname. 
    For example, if the hostname is abc.bmc.com, the instance name will be set to abc.
  • Advanced enrichment condition 2: Based on the location, assign open events to specific people, and update the severity and status. For example, if the location is New York, assign the event to Mike, update the event status to Assigned and event severity to Major. If the location is Chicago, assign the event to Shiela, update the event status to Assigned and event severity to Critical.

Template for Closing Events and Dropping Duplicate Events

  • Event selection criteria:
    • Instance name: instance1
    • Message: ServerA
  • Advanced enrichment condition: When the event priority changes, close the event; Delete a new event if it is a duplicate of an existing event.

Template for Timeout Policy And Notification

  • Event selection criteria:
    • Class name: Event
    • Hostname: Server3
  • Advanced enrichment condition: If an event is open and unassigned for longer than 6 hours, update the event severity and assign it to a specific person, and send a notification to the specified email address. For example, if the event is open and unassigned for longer than 6 hours, update the event severity to Critical, assign the event to Admin, and send a notification email to abc@xyz.com.

Template for Event Suppression

  • Event selection criteria:
    • Class name: PATROL Event
    • Message: patrolevent
    • Hostname: server2
  • Basic enrichment: Drop new events matching the event selection criteria.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*