Event and Alert Management Deployment Scenarios › Event Management Scenarios › Event Management Example 4: Combine a Create Event Action with an Enrichment Using Reevaluation

Event Management Example 4: Combine a Create Event Action with an Enrichment Using Reevaluation

This scenario illustrates how you can reevaluate an event on which an action has already occurred when multiple actions are required to optimize the resultant alert. The Reevaluate option on the Create Event Policy dialog lets you send an event that has been created or enriched by an event policy back through the policy engine for evaluation by other event policies.

This scenario assumes that you have connectors monitoring vital ComputerSystem CIs, and that the default alerts that are generated are not of the quality required for a prompt diagnosis and resolution. The scenario does the following:

• Detects when a pattern of events occurs that indicates a ComputerSystem CI is down
• Creates a new event that increases the severity and modifies the event summary to indicate the problem
• Discards the original events
• Reevaluates the created event and enriches it with contact information for the problematic CI from a database table

Follow these steps:

1. Enter the following in the Event Pattern fields in the Event Search tab:

   AlertedMdrElementID=? and Summary='Management agent lost contact'
   

   AlertedMdrElementID=? and Summary='Device response exceeds threshold'
   

   This search criteria returns events from the same connector and CI, where the first event summary is 'Management agent lost contact', and the second event summary is 'Device response exceeds threshold'.

2. Select ALL events occur within 30 seconds in the Additional Criterion pane.

   This selection specifies that the events must occur within 30 seconds of each other. When occurring together, these events are strong indications that the associated CI is down.

3. Click Search.

   The search results appear.

4. Click Create Policy.

   The Create Event Policy wizard opens and displays the New Policy page.

5. Enter CreateEventDeviceUnresponsive in the Policy Name field, select Create New Event, and click Next.

   The Create New Event page opens.

6. Select the Reevaluate check box.

   This selection specifies to reevaluate the created event against other event policies.

7. Edit the properties of the new event as follows and click Next:
   • Set the Severity to Fatal.
   • Set the Summary to DEVICE UNRESPONSIVE.
   • Set the Message to 'Device fn:Parse(${pattern1.AlertedMdrElementID}) is unresponsive'.

     Note: This value uses the Parse function to include the name of the CI in the message using the AlertedMdrElementID value returned by the first event pattern. For example, if the AlertedMdrElementID value in the first event is Server5, the output value of the Message property would be 'Device Server5 is unresponsive'.

   • Set the mdrElementID to fx:uniqueidentifier().
   • Retain the defaults for other properties, which inherit the properties of the event from the first pattern.

   This change increases the severity to fatal and changes the summary and message to a more specific indication of the problem.

   The Select Data Sources page opens.

8. Select Save and Deploy policy, move the Mid-tier connector to the Selected Data Sources pane, and click Next.

   The Confirm page opens.

9. Confirm the policy information and click Finish.

   The policy is deployed.

10. Select the deployed policy in the Events tab, and click Edit Policy.

    The Create Event Policy wizard opens and displays the New Policy page.

11. Enter FilterOriginalEvents in the Policy Name field, select Filter Events and then Exclude, and click Next.

    The Select Data Sources page opens.

12. Select Save and Deploy policy, retain the Mid-tier connector in the Selected Data Sources pane, and click Finish.

    The filter event policy is deployed. This policy discards the original event pattern, so that only the created event becomes an alert in the Operations Console.

13. Return to the main Event Policy dialog, and enter the following search pattern in the Event Pattern 1 field:

    Summary='DEVICE UNRESPONSIVE'
    

    This search pattern returns the event created by the create event policy, on which you enabled reevaluation.

14. Click Create Policy.

    The Create Event Policy wizard opens and displays the New Policy page.

15. Enter EnrichEventDeviceUnresponsive in the Policy Name field, select Enrich Event, and click Next.

    The Enrichment Configuration page opens.

16. Select JDBC in the Type drop-down list, enter connection settings for the database in the fields, and click Next. This example assumes the following:
    • The database with the information required for the enrichment is a Microsoft SQL Server database, and the connection information follows the conventions described in JDBC Connection Examples and accessible from the MS SQL entry in the Templates drop-down list.
    • The database server name is dbserver1.
    • The database name is Contacts.
    • The database table with the required contact information is ContactTable.

    The Enrichment Policy page opens.

17. Do the following in the Parameter Configuration table:
    • Use the right-click menu to add DeviceName in the first cell of the Input Parameter column.
    • Use the right-click menu to add ${pattern1.AlertedMdrElementID} in the corresponding cell in the Assigned Value column.

    This configuration queries the ContactTable table from the Contacts database for instances where the AlertedMdrElementID property in the created event matches the DeviceName database column value, which matches the created event to its associated CI in the database. If a match is not found, the enrichment does not occur.

18. Do the following in the Enrichment Property Assignment table and click Next:
    • Use the right-click menu to add ${ContactEmail} in the Assigned Value cell corresponding to the User Attribute 1 property.
    • Use the right-click menu to add ${ContactName} in the Assigned Value cell corresponding to the User Attribute 2 property.

    This configuration enriches the User Attribute 1 and 2 properties of the created event with the values of the ContactEmail and ContactName database columns when the event's device name is matched in the database.

    Note: You can change the name of the User Attribute properties if you want them to accurately represent the enrichment properties. However, these properties appear under their original names in the Event Policy dialog, even if you renamed them. Assigning values to these original names properly displays the values under the renamed properties in the Operations Console.

    The Select Data Sources page opens.

19. Select Save and Deploy policy, move the Mid-tier connector to the Selected Data Sources pane, and click Next.

    Note: You must use the Mid-tier connector for this scenario, because CA Catalyst connectors do not support database enrichments.

    The Confirm page opens.

20. Confirm the policy information and click Finish.

    The enrichment policy is deployed. This policy enriches the event created by the create event policy with contact information for the CI from a Contact database. When the event displays as an alert in the Operations Console, it contains an elevated severity, a more accurate description of the CI condition, and contact information in the User Attribute 1 and 2 properties for prompt assignment and resolution.

    You could use alert management functionality to further facilitate resolution of this high quality alert as follows:

    • Create an escalation policy based on the alert message that generates a help desk ticket or sends an email. For either action, you could use the enriched contact information to help ensure that the help desk ticket or email reaches the appropriate technician.
    • Create an alert queue that uses the modified or enriched property values to include the alert in its appropriate group, such as a queue for fatal alerts, a queue for a specific data source or service that manages the CI, or a queue for the assigned technician.