Skip to Content

Default language.

Creating and enabling event policies

Related topics

Managing event policies with REST APIs

As an administrator, create and enable event policies to define the actions that the system takes after an event arrives. For events, you can create the following types of policies:

To learn how to create some of these policies with examples, see the following topics:

To create an event policy

  1. Go to Configuration > Event Policies and click Create.
  2. Specify a unique name, optional description, and precedence number for the policy.

  3. Create the event selection criteria based on which the policy is applied to the events. 
    For more information about the event selection criteria, see Event selection criteria.

    Warning

    Important

    • Values in the event selection criteria are case-sensitive. For example, Message Equals test and Message Equals TEST are considered as different values.
    • For event and blackout policies, we do not recommend using the less than (<), greater than (>), and the ampersand (&) characters in the selection criteria.

    • If you use special characters to specify slot values in the event selection criteria, make sure that you precede the special character with an escape character (\).

      For example, specify the value in the message slot as “Test\^Notification\^Policy" instead of “Test^Notification^Policy"

    • You can change the existing class in the event selection criteria to a new class without removing the existing policy configurations, only if slots in the existing policy configurations are available in the new class.
    • While creating an advanced or a dynamic enrichment policy, we recommend that you use slots of the same data type for comparison.
  4. Select the time frame for which the policy should be active. You can create a new time frame or associate an existing time frame with an event policy. 
    The Always active option is the default option, which means that the policy is always active unless you select a time frame. See Setting event policy schedules by using time frames.

  5. Select one or more of the following policy types and configure them:

     

    Policy type

    Total configurations allowed

    1

    Refinement

    1

    2DeduplicationAny number

    3

    Basic Enrichment

    Any number

    4

    Suppression

    1

    5

    Time Based

    3

    6

    Advanced Enrichment

    Any number

    7

    Correlation

    Any number

    8

    Notification

    Any number

     

    The configured policy types are displayed in the policy evaluation order irrespective of the order in which they were configured. To know more about the policy evaluation order, see Event policy types and evaluation order.
    You can set up multiple configurations for certain policy types. Each configuration is displayed as a policy card as shown in the following image. Reorder the policy cards by dragging and dropping them to change the configuration execution order within a specific policy type. 
    Adv_enrichment_without_info_icon3.png

    Warning

    Slots configured in the event policy settings

    • Some of the event policies allow you to define slots while configuring the policy settings. The list of these slots is restricted to the event class selected in the event selection criteria. If no class is selected in the event selection criteria, the base EVENT class slots are displayed for selection.  
    • If you specify multiple classes in the event selection criteria, refer to the following points:
      • The event slots present in all the classes in the event selection criteria are displayed for selection in the following sections:
        • Enrich and If action of an enrichment policy
          Enrich action: Event slots are displayed in Slot to enrich and on the Event Slot tab in the action value.
        • Slot placeholder fields of an enrichment, correlation, and notification policy
      • The event slots that are common to the multiple classes are suffixed with the name of the event class in the enrichment, correlation, and notification policy.
      • An event slot is not suffixed with the name of the event class if the slot is not present in all the classes that you specify in the event selection criteria.

    Event policy type

    Task

    Reference

    Refinement

    This policy type helps you to enrich the host name of an event. And it is similar to an advanced enrichment policy. You can also enrich multiple host names by using a dynamic enrichment policy.

    DeduplicationEliminate duplicate events based on the event selection criteria.Event deduplication and suppression for filtering unwanted events

    Basic Enrichment

    Select the required settings and specify the values.

    This policy helps you process events with refined slot values to make the events more meaningful. 

    Suppression

    Automatically drop new events that are selected based on the event selection criteria. You do not require any configurations for this policy.

    Note: Applying this policy deletes all the matching events with missing dedup slot values. To avoid this scenario, ensure that all the events are updated with appropriate dedup values and then apply the suppression policy. You can update ingested events by running the events API endpoint. For more information, see Managing events with REST APIs.

    Advanced Enrichment and dynamic enrichment

    Do one of the following tasks:

    • Build an advanced enrichment policy workflow.
    • Import external data and update the match and enrich fields.

    An advanced enrichment policy helps you process events with refined slot values based on the defined policy workflow and make the events more meaningful. Dynamic event enrichment is an extension of advanced enrichment that allows you to enrich events with external data.

    Time Based

    Build a time-based enrichment policy workflow.

    This policy helps you process events with refined slot values after a scheduled duration of time and based on the defined policy workflow to make the events more meaningful. 

    Correlation

    Select the required settings and specify the values.

    This policy helps you correlate and combine multiple matching events into a single aggregated event. 

    Notification

    If the notification service is:

    • Email, the policy notifies users via email that an event has occurred, so that appropriate actions can be taken.
    • Incident, the policy is used for Proactive Service Resolution (PSR) integration.

    Select the required Email settings and specify the values. For some values you might want to specify slots

     

  6. Use the icons to edit or delete the configured policy types.
  7. (Optional) Select Enable Policy.
    You can enable or disable the policy any time from the Event Policies page.
  8. Save the policy.

To search for an event policy

  1. Go to Configuration > Event Policies.
  2. In the Search field Policy search box.png, type the policy name to search for the policy.
    The search results are returned immediately.
    The Search field is not case-sensitive and returns results regardless of the character case that you use in the search query.

To export an event policy

  1. Go to Configuration > Event Policies.
  2. Perform one of the following actions:
    • Select a policy and click ExportExport_policy_icon.png .
    • From the  Actions menu of a policy, select Export .
      The Export policy JSON file page is displayed.

  3. Select an option to change the policy name.

    If you have customized the display name of custom classes and event slots of custom classes by using APIs on the tenant where you export the policy and the tenant where you import the policy, the internal name of event slots and classes is available in the exported policy. When you import a policy, the display name of custom event slots is available.The following options are available.

    • Yes, append the default suffix: '_Imported_<CurrentTimeStamp>' to the policy name
    • No, keep the current policy name
    • Yes, append a custom suffix to the policy name
      For this option, enter a value for the suffix to be added to the policy name.
  4. Click Export.

 For more information, see Migrating event policies between tenants .

To import an event policy

  1. Go to Configuration > Event Policies.
  2. Click Import Import icon.png.
  3. The Import policy JSON file page is displayed.
  4. Click Attach file and select a JSON file from your local directory.
  5. Click Import.  

To edit an event policy

  1. Go to Configuration > Event Policies.
  2. Perform one of the following actions:
    • Select a policy and click Edit.
    • From the  Actions menu action_menu.pngof a policy, select  Edit.
  3. Edit the policy and save the changes.
Warning

Important

While editing the Predefined Policy for Incident notification policy, ensure that you do not change the name of the policy.

The Predefined Policy for Incident notification policy is required if BMC Helix Operations Management is integrated with Proactive Service Resolution (PSR). For more information, see Integrating with BMC Helix ITSM.

To copy an event policy

  1. Go to Configuration > Event Policies.
  2. Click the Actions menu action_menu.pngof a policy and select  Copy.
    You can copy all event policies including dynamic enrichment policies.
    The Create Event Policy page is displayed with the configurations of the copied policy. 
  3. Modify the configurations according to your requirements to create a new policy quickly. 

To view the list of event policies

On the Configuration > Event Policies page, view the list of event policies.

By default, the policies are sorted by Name. To sort on a different column, click the column heading.

A maximum of 1000 policies are displayed on the Event Policies page.

To enable or disable an event policy

On the Configuration > Event Policies page, do one of the following actions:

  • Select the policy and click Enable or Disable.
  • From the  Actions  menu of a policy, select Enable or Disable.
  • Edit the policy and select or clear the Enable Policy checkbox.

To delete an event policy

On the Configuration > Event Policies page, do one of the following actions:

  • Select one or more policies, click Delete, and click Yes.
  • From the  Actions  menu of a policy, select Delete, and click Yes.
Warning

Important

Deleting a large number of policies is a maintenance activity and should be done in a controlled manner. Conctact BMC Support if you want to delete a large number of policies at once.

Type your warning message here.

To audit user actions on an event policy

As a tenant administrator, use the BMC Helix Audit Dashboard in BMC Helix Dashboards to view the audit trail of activities that users perform on event policies. You can audit the following activities on an event policy:

  • Create an event policy
  • Update an event policy
  • Delete an event policy
  • Enable an event policy
  • Disable an event policy
Information
Scenario

Apex Global uses BMC Helix Operations Management as their infrastructure monitoring tool. Event policies in BMC Helix Operations Management help manage customer events. The customer support team at Apex Global performs root cause analysis of critical customer escalations based on the events generated through event policies. For every customer escalation, they need to invest time and effort to investigate the changes made to event policies. They want to reduce this effort, so they approach Sarah, a system admin at Apex Global. 
Sarah views the audit trail of all activities performed by users on event policies by using the BMC Helix Audit Dashboard in BMC Helix Dashboards and communicates this information to the support team. Viewing the audit trail helps Sarah to track the history of changes made to the policies and achieve improved user accountability, compliance with organization policies, and system security.

For more information, see Auditing configuration changes in BMC Helix Dashboards.

The following image displays the audit trail of event policies in the BMC Helix Audit Dashboard. Note that the selected resource type is Event Policy. Click the link in the Operation column to view the values before and after you perform an activity on an event policy.

Audit trail for event policies label.png

To view the execution order of event policies

  1. Select Configuration > Event Policies and click Policy Execution Order Policy precedence view.png.
  2. Select one of the following options:
    For new events is selected by default.
    1. For new events
       This option displays the policy execution order for new or incoming events. For new events, you can view the policy execution order for the following phases:
      • Refinement
      • Basic Enrichment
      • Suppression
      • Time Based
      • Advanced Enrichment
      • Correlation
      • Notification
    2. For old events
       This option displays the policy execution order for old or existing events. For old events, you can view the policy execution order for the following phases:
      • Advanced Enrichment
        Only for advanced enrichment policies that have the Trigger-If action configured.
      • Notification
        • Notification (Email): Only if the status or severity slots are selected or both slots are selected in the policy.
        • Notification (Incident)

  3. In Event Policy Execution Order Preview, click the policy phase expander to view the execution order for an event policy and click the policy name expander to view the execution order of policy configurations in an event policy.

    Scenario

    Policy execution order rule

    Across policies

    Sorted and grouped by the event policy phases.

    Within a phase

    Sorted by the precedence. If the precedence is the same, then sorted by the event creation time in descending order. 

    Within a policy

    Sorted by the order of the policy configurations.

  4. (Optional) In the Search box, type a policy name to filter the policy preview.

The policy execution order is displayed only for policies that you have enabled. In the preview, event policies are sorted by the policy type first and then by the precedence.

Policy execution order for new events.png

Policy execution order for old events.png

Refer to the following example to understand the policy execution order for the list of policies:

Click here to expand...

Policy name

Configurations

Precedence

Policy execution order

Policy 1

Basic enrichment 1

999

  1. Policy 3.Basic enrichment 1
  2. Policy 4.Basic enrichment 1
  3. Policy 1.Basic enrichment 1
  4. Policy 2.Basic enrichment 1
  5. Policy 2.Basic enrichment 2
  6. Policy 3.Advanced enrichment 1
  7. Policy 2.Advanced enrichment 1
  8. Policy 4.Notification 1

Policy 2

  • Basic enrichment 1
  • Basic enrichment 2
  • Advanced enrichment 1

999

Policy 3

  • Basic enrichment 1
  • Advanced enrichment 1

100

Policy 4

  • Basic enrichment 1
  • Notification 1

101

If you create a policy by using APIs, make sure that you update the Event Policies page to view the updated policy execution order.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Helix Operations Management 25.4