Understanding Event and Alert Management › Concepts › Events › Event Policies with a Normalization Action

Event Policies with a Normalization Action

You can create and deploy an event policy that manually normalizes raw events with custom mappings from raw event properties to USM alert properties. Normalizing raw events is useful when the default policy for a connector is only generic in nature. The default policy does not perform a mapping that is specific enough to manage the incoming events effectively as alerts. The following connectors are examples of connectors that have generic policy:

• Event connector (some sources)
• SNMP trap connector
• IBM Tivoli Netcool/OMNibus connector
• Oracle Enterprise Manager Grid Control connector
• IBM Tivoli Enterprise Console connector

You can also deploy a normalization action on event sources that have detailed connector policy to refine how required event properties are normalized. The mappings in the event policy overwrite any default mappings in the default policy file. If you want to add information to optional properties or the user attribute properties, use an enrichment action instead, unless that information exists in raw event properties.

The following situations are common normalization action use cases:

• Raw events contain an important property value that is not mapped to any USM alert property by the default connector policy.
• SNMP traps contain important information in their variable bindings that require mapping to individual properties.
• Large-scale event management sources (like IBM Tivoli Netcool/OMNibus) aggregate events from multiple disparate sources. You want to create specific normalization rules for events from each source.

Normalization actions require a raw event search that is available. Deploy a normalization action on only one source connector (which cannot be the Mid-tier connector).