Normalized Mapping Rules
To help you map event data from incoming data sources review the following event schemas and samples.
- Kafka integration normalized event schema
- PagerDuty normalized mapping rules
- IBM Netcool Operations Insight normalized mapping rules
Kafka integration normalized event schema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"title": "Kafka Integration normalized event schema",
"description": "Normalized event for None mapping use case",
"type": "object",
"properties": {
"sender": {
"description": "Identifies the resource which sent this event. This may be the resource that is the subject of the event, or it may be some external system which is monitoring the subject.",
"type": "object",
"properties": {
"service": {
"description": "The identifier of the service",
"type": "string"
},
"name": {
"description": "The descriptive name of the service",
"type": "string"
},
"type": {
"description": "Data source name. For examples, PagerDuty, Netcool/OMNIbus",
"type": "string"
}
},
"required": [
"service",
"name",
"type"
]
},
"resource": {
"description": "Identifies the resource that is the subject of this event. This is made up of multiple fields that describe the resource. There are a set of standard fields which should be used where applicable, but additional fields may be set.",
"type": "object",
"properties": {
"name": {
"description": "The name of the resource. For example, myhost.example.com",
"type": "string"
},
"hostname": {
"description": "The hostname of the resource.",
"type": "string"
},
"type": {
"description": "The type of resource. For example, host",
"type": "string"
},
"ipaddress": {
"description": "The IP address of the resource.",
"type": "string"
},
"location": {
"description": "The location of the resource. For example, Dallas 10",
"type": "string"
}
},
"required": [
"name",
"hostname",
"type",
"ipaddress",
"location"
]
},
"type": {
"description": "Indicates whether the source alert is a problem or a resolution along with its classification.",
"type": "object",
"properties": {
"classification": {
"description": "Description of the type of the event. E.g. Utilization, System status, Threshold breach",
"type": "string"
},
"eventType": {
"description": "String description of whether the event is 'problem' or 'resolution'. Note: Only these two values are permitted.",
"type": "string"
}
},
"required": [
"classification",
"eventType"
]
},
"severity": {
"description": "Indicates the event severity level, which indicates how the perceived capability of the managed object has been affected.",
"type": "integer",
"minimum": 0,
"maximum": 6
},
"summary": {
"description": "A human-readable description of the event.",
"type": "string"
},
"occurrenceTime": {
"description": "The time at which this event occurred. (ISO format: yyyy-mm-ddThh:mm:ss.SSSZ)",
"type": "string",
"pattern": "\\d{4}-[01]\\d-[0-3]\\dT[0-2]\\d:[0-5]\\d:[0-5]\\d(?:\\.\\d+)Z"
},
"expirySeconds": {
"description": "The number of seconds before the event should automatically expire. A value of zero indicates that there is no expiration.",
"type": "integer",
"minimum": 0
}
},
"required": [
"sender",
"resource",
"type",
"severity",
"summary",
"occurrenceTime",
"expirySeconds"
]
}
}
Normalized PagerDuty events sample
{
"sender":{
"service": "PEPF123",
"name": "WAS_Sysdig",
"type": "PagerDuty"
},
"resource":{
"name":"Hostdown",
"hostname":"alerts.sample.com",
"type":"host",
"ipaddress":"10.123.123.123",
"location":"sample.mail.ibm.com"
},
"type":{
"classification":"Pods ready less than desired is Triggered on kubernetes.cluster.name = RHOpenShift and kubernetes.daemonSet.name = sysdig-agent",
"eventType":"problem"
},
"severity":5,
"summary":"Pods ready less than desired is Triggered on kubernetes.cluster.name = RHOpenShift and kubernetes.daemonSet.name = sysdig-agent",
"occurrenceTime":"2021-10-07T07:55:46.000Z",
"expirySeconds":0
}
Normalized IBM Netcool Operations Insight events sample
{
"sender":{
"service":"CEA SelfMonitoring",
"name":"CEA SelfMonitoring @AGG_P",
"type":"Netcool/OMNIbus"
},
"resource":{
"name":"AGG_P",
"hostname":"samplehost.ibm.com",
"type":"host",
"ipaddress":"10.1.96.24",
"location":"Tokyo"
},
"type":{
"classification":":++:CEASelfMonitoring",
"eventType":"problem"
},
"severity":4,
"summary":"CEAAnalytics SelfMonitoring Alert",
"occurrenceTime":"2021-10-05T14:50:38.000Z",
"expirySeconds":0
}
PagerDuty normalized mapping rules
Note: Rules take precedence, that is the mapped value is taken from the highest rules that fulfils the condition.
| Resultant Normalized Alert | Mapping rules | ||
|---|---|---|---|
{ |
|||
"sender": { |
|||
"service": "P3ZB24W", |
{{**service.id**}} |
||
"name": "PagerDuty - [SI] Beta - Website - Degraded", |
"PagerDuty -" + {{**service.summary**}} |
||
"type": "PagerDuty" |
"PagerDuty" |
||
}, |
|||
"resource": { |
|||
"name": "Beta URL Down", |
Rule 1: {{**body.cef_details.source_component**}} |
||
Rule 2: {{**incident.summary**}} |
|||
"hostname": "alerts.newrelic.com", |
Rule 1: hostname of {{**body.cef_details.details.incident_url**}} |
||
Rule 2: hostname of {{**incident.self**}} |
|||
"type": "host", |
Rule 1: "host" if the "**hostname**" field (see above) is hostname. |
||
Rule 2: "ip" if the "**hostname**" field (see above) is IPv4. |
|||
Rule 3: Otherwise, empty. |
|||
"ipaddress": "", |
Rule 1: Same value as the "**hostname**" field if the value is IPv4 |
||
Rule 2: Otherwise, empty. |
|||
"location": "Beta URL GUI" |
Rule 1: {{**body.cef_details.source_origin**}} |
||
Rule 2: {{**incident.summary**}} |
|||
}, |
|||
"type": { |
|||
"classification": "Beta URL Down (Beta URL GUI violated Beta URL Down)", |
{{**summary**}} |
||
"eventType": "resolution" |
Rule 1: "resolved" if {{**status**}} = "resolved" |
||
Rule 2: Otherwise "problem". |
|||
}, |
|||
"severity": 5, |
{{**severity**}} -> IBM Cloud Pak for AIOps severity level info -> 1 |
||
low -> 2 |
|||
warning -> 3 |
|||
error -> 4 |
|||
critical -> 5 |
|||
Otherwise, 1 |
|||
"summary": "Beta URL Down (Beta URL GUI violated Beta URL Down)", |
{{**summary**}} |
||
"occurrenceTime": "2021-07-11T03:39:53.000Z", |
{{**created_at**}} converted to yyyy-mm-ddT:hh:mm:ss.000Z |
||
"expirySeconds": 0 |
0 |
||
} |
Sample PagerDuty event used in the mapping
{
"id": "Q2BSJKUORBWAWT",
"type": "alert",
"summary": "Beta URL Down (Beta URL GUI violated Beta URL Down)",
"self": "https://api.pagerduty.com/alerts/Q2BSJKUORBWAWT",
"html_url": "https://ibm-sandbox.pagerduty.com/alerts/Q2BSJKUORBWAWT",
"created_at": "2021-07-10T20:39:53-07:00",
"status": "resolved",
"resolved_at": "2021-07-10T21:41:18-07:00",
"alert_key": "799c00fbcf461bf553f9b4f30bcc1d9908db947c",
"suppressed": false,
"service": {
"id": "P3ZB24W",
"type": "service_reference",
"summary": "[SI] Beta - Website - Degraded",
"self": "https://api.pagerduty.com/services/P3ZB24W",
"html_url": "https://ibm-sandbox.pagerduty.com/service-directory/P3ZB24W"
},
"severity": "critical",
"incident": {
"id": "P3HUMBH",
"type": "incident_reference",
"summary": "[#42113] Beta URL Down (Beta URL GUI violated Beta URL Down)",
"self": "https://api.pagerduty.com/incidents/P3HUMBH",
"html_url": "https://ibm-sandbox.pagerduty.com/incidents/P3HUMBH"
},
"first_trigger_log_entry": {
"id": "R4Z5TVA4KYEVQL6DIFD9SHYPOY",
"type": "trigger_log_entry_reference",
"summary": "Triggered through the API",
"self": "https://api.pagerduty.com/log_entries/R4Z5TVA4KYEVQL6DIFD9SHYPOY",
"html_url": "https://ibm-sandbox.pagerduty.com/alerts/Q2BSJKUORBWAWT/log_entries/R4Z5TVA4KYEVQL6DIFD9SHYPOY"
},
"body": {
"contexts": [],
"details": {
"VIOLATION DESCRIPTION": null,
"account_id": 2848358,
"account_name": "Storage Insights",
"closed_violations_count": {
"critical": 0,
"warning": 0
},
"condition_family_id": 15905725,
"condition_id": 114530789,
"condition_name": "Beta URL Down",
"current_state": "open",
"details": "2 or more locations failed on 'Beta URL GUI'",
"duration": 65,
"event_type": "INCIDENT",
"incident_acknowledge_url": "https://alerts.newrelic.com/accounts/2848358/incidents/313256636/acknowledge",
"incident_id": 313256636,
"incident_url": "https://alerts.newrelic.com/accounts/2848358/incidents/313256636",
"metadata": {
"entity.name": "Beta URL GUI",
"entity.type": "MONITOR",
"location_statuses": [
{
"location": "AWS_EU_CENTRAL_1",
"locationLabel": "Frankfurt, DE",
"result": "FAILED",
"timestamp": 1625974724220
},
{
"location": "AWS_US_WEST_1",
"locationLabel": "San Francisco, CA, USA",
"result": "FAILED",
"timestamp": 1625974281070
},
{
"location": "AWS_SA_EAST_1",
"locationLabel": "São Paulo, BR",
"result": "FAILED",
"timestamp": 1625974154020
},
{
"location": "AWS_AP_SOUTH_1",
"locationLabel": "Mumbai, IN",
"result": "FAILED",
"timestamp": 1625974214555
}
]
},
"open_violations_count": {
"critical": 1,
"warning": 0
},
"owner": "",
"policy_name": "Beta URL Down",
"policy_url": "https://alerts.newrelic.com/accounts/2848358/policies/1029635",
"severity": "CRITICAL",
"targets": [
{
"id": "03e19e74-cf92-4ea5-a0db-2e6d968fc9f9",
"labels": {
"account": "Storage Insights",
"accountId": "2848358",
"guid": "Mjg0ODM1OHxTWU5USHxNT05JVE9SfDAzZTE5ZTc0LWNmOTItNGVhNS1hMGRiLTJlNmQ5NjhmYzlmOQ",
"monitorStatus": "Enabled",
"monitorType": "Simple Browser",
"period": "10",
"publicLocation": "São Paulo, BR",
"trustedAccountId": "1592783"
},
"link": "https://synthetics.newrelic.com/accounts/2848358/monitors/03e19e74-cf92-4ea5-a0db-2e6d968fc9f9",
"name": "Beta URL GUI",
"product": "SYNTHETICS",
"type": "Monitor"
}
],
"timestamp": 1625974792836,
"timestamp_utc_string": "2021-07-11, 03:39 UTC",
"version": "1.0",
"violation_callback_url": "https://synthetics.newrelic.com/accounts/2848358/monitors/03e19e74-cf92-4ea5-a0db-2e6d968fc9f9"
},
"cef_details": {
"client": "New Relic",
"client_url": "https://alerts.newrelic.com/accounts/2848358/incidents/313256636",
"creation_time": "2021-07-11T03:39:53.673Z",
"dedup_key": "799c00fbcf461bf553f9b4f30bcc1d9908db947c",
"description": "Beta URL Down (Beta URL GUI violated Beta URL Down)",
"details": {
"VIOLATION DESCRIPTION": null,
"account_id": 2848358,
"account_name": "Storage Insights",
"closed_violations_count": {
"critical": 0,
"warning": 0
},
"condition_family_id": 15905725,
"condition_id": 114530789,
"condition_name": "Beta URL Down",
"current_state": "open",
"details": "2 or more locations failed on 'Beta URL GUI'",
"duration": 65,
"event_type": "INCIDENT",
"incident_acknowledge_url": "https://alerts.newrelic.com/accounts/2848358/incidents/313256636/acknowledge",
"incident_id": 313256636,
"incident_url": "https://alerts.newrelic.com/accounts/2848358/incidents/313256636",
"metadata": {
"entity.name": "Beta URL GUI",
"entity.type": "MONITOR",
"location_statuses": [
{
"location": "AWS_EU_CENTRAL_1",
"locationLabel": "Frankfurt, DE",
"result": "FAILED",
"timestamp": 1625974724220
},
{
"location": "AWS_US_WEST_1",
"locationLabel": "San Francisco, CA, USA",
"result": "FAILED",
"timestamp": 1625974281070
},
{
"location": "AWS_SA_EAST_1",
"locationLabel": "São Paulo, BR",
"result": "FAILED",
"timestamp": 1625974154020
},
{
"location": "AWS_AP_SOUTH_1",
"locationLabel": "Mumbai, IN",
"result": "FAILED",
"timestamp": 1625974214555
}
]
},
"open_violations_count": {
"critical": 1,
"warning": 0
},
"owner": "",
"policy_name": "Beta URL Down",
"policy_url": "https://alerts.newrelic.com/accounts/2848358/policies/1029635",
"severity": "CRITICAL",
"targets": [
{
"id": "03e19e74-cf92-4ea5-a0db-2e6d968fc9f9",
"labels": {
"account": "Storage Insights",
"accountId": "2848358",
"guid": "Mjg0ODM1OHxTWU5USHxNT05JVE9SfDAzZTE5ZTc0LWNmOTItNGVhNS1hMGRiLTJlNmQ5NjhmYzlmOQ",
"monitorStatus": "Enabled",
"monitorType": "Simple Browser",
"period": "10",
"publicLocation": "São Paulo, BR",
"trustedAccountId": "1592783"
},
"link": "https://synthetics.newrelic.com/accounts/2848358/monitors/03e19e74-cf92-4ea5-a0db-2e6d968fc9f9",
"name": "Beta URL GUI",
"product": "SYNTHETICS",
"type": "Monitor"
}
],
"timestamp": 1625974792836,
"timestamp_utc_string": "2021-07-11, 03:39 UTC",
"version": "1.0",
"violation_callback_url": "https://synthetics.newrelic.com/accounts/2848358/monitors/03e19e74-cf92-4ea5-a0db-2e6d968fc9f9"
},
"message": "Beta URL Down (Beta URL GUI violated Beta URL Down)",
"mutations": [],
"reporter_component": "08fe44fc923247aa9b931d186559a105",
"severity": "critical",
"source_component": "Beta URL Down",
"source_origin": "Beta URL GUI",
"version": "1.0"
},
"type": "alert_body"
},
"integration": {
"id": "PL68E48",
"type": "generic_events_api_inbound_integration_reference",
"summary": "New Relic",
"self": "https://api.pagerduty.com/services/P3ZB24W/integrations/PL68E48",
"html_url": "https://ibm-sandbox.pagerduty.com/services/P3ZB24W/integrations/PL68E48"
},
"privilege": null
}
IBM Netcool Operations Insight normalized mapping rules
Note: Rules take precedence, that is the mapped value is taken from the highest rules that fulfils the condition.
| Resultant Normalized Alert | Mapping rules | ||
|---|---|---|---|
| { | |||
| "sender": { | |||
| "service": "Ping Probe", | {{Agent}} | ||
| "name": "Ping Probe", | {{Manager}} | ||
| "type": "Netcool/OMNIbus" | "Netcool/OMNIbus" | ||
| }, | |||
| "resource": { | |||
| "name": "RNIB-MPLS-FTTC013", | Rule 1: Take {{Node}} if it is not empty | ||
| Rule 2: Take {{NodeAlias}} if it is not empty | |||
| Rule 3: Rule 3: Otherwise "unknown" | |||
| "hostname": "RNIB-MPLS-FTTC013", | Rule 1: {{Node}} if not empty and is valid hostname | ||
| Rule 2: {{NodeAlias}} if not empty and is valid hostname | |||
| "type": "host", | Rule 1: "host" if either {{Node}} or {{NodeAlias}} is not empty, | ||
| Rule 2: Otherwise, "unknown". | |||
| "ipaddress"10.44.113.88", | Rule 1: {{Node}} if not empty and is valid IPv4 | ||
| Rule 2: {{NodeAlias}} if not empty and is valid IPv4 | |||
| Rule 3: Otherwise, empty | |||
| "location": "Paper St" | {{Location}} | ||
| }, | |||
| "type": { | |||
| "classification": "probeping-icmptimeout:++:Ping Status", | {{EventId}} ":++:" {{AlertGroup}} | ||
| "eventType": "problem" | Rule 1: "resolution" if {{Severity}} is 0. | ||
| Rule 2: "resolution" if {{Type}} is one of {2,4} | |||
| Rule 3: Otherwise, "problem" | |||
| }, | |||
| "severity": 3, | Rule 1: {{Severity}} + 1 if {{Severity}} falls within 2 to 5. | ||
| Rule 2: 1 if {{Severity}} is 1 | |||
| Rule 3: 2 if {{Severity}} is > 0 | |||
| "summary": "RNIB-MPLS-FTTC013 is not reachable", | {{Summary}} | ||
| "occurrenceTime": "2021-02-23T09:56:46.000Z", | Output format: yyyy-mm-ddThh:mm:ss.SSSZ | ||
| Rule 1: If {{NetcoolEventAction}} is "INSERT", then {{FirstOccurrence}} - yyyy-mm-ddThh:mm:ss {{FirstOccurrenceUSec}} - if available then .SSSZ, otherwise .000Z | |||
| Rule 2: If {{NetcoolEventAction}} is "UPDATE", then {{LastOccurrence}} - yyyy-mm-ddThh:mm:ss {{LastOccurrenceUSec}} - if available then .SSSZ, otherwise .000Z | |||
| Note: {{FirstOccurrence}} and {{LastOccurrence}} can be in Unix epoch or datetime string. | |||
| "expirySeconds": 0 | Rule 1: Take {{ExpireTime}} if the field exists. | ||
| Rule 2: Otherwise, 0. | |||
| } |
Sample IBM Netcool Operations Insight event used in the mapping
{
"Identifier": "RNIB-MPLS-FTTC013 Ping Status:10.44.113.88 Ping Status 1 Ping Probe Ping Probe RNIB-MPLS-FTTC013 unreachable",
"SERIAL": 25230712,
"Node": "RNIB-MPLS-FTTC013",
"NodeAlias": "10.44.113.88",
"Manager": "Ping Probe",
"Agent": "Ping Probe",
"AlertGroup": "Ping Status",
"AlertKey": "Ping Status:10.44.113.88",
"Severity": 3,
"Summary": "RNIB-MPLS-FTTC013 is not reachable",
"StateChange": "1614074206",
"FirstOccurrence": "1614074206",
"LastOccurrence": "1614074206",
"LASTMODIFIED": "1614074206",
"Poll": 0,
"Type": 1,
"Tally": 1,
"Class": 100,
"Grade": 0,
"Location": " Paper St",
"OwnerUID": 65534,
"OwnerGID": 0,
"Acknowledged": 0,
"Flash": 0,
"EventId": "probeping-icmptimeout",
"ExpireTime": 0,
"ProcessReq": 0,
"SuppressEscl": 0,
"Customer": "RNIB",
"Service": "",
"PhysicalSlot": 0,
"PhysicalPort": 0,
"PhysicalCard": "",
"TaskList": 0,
"NmosSerial": "",
"NmosObjInst": 0,
"NmosCauseType": 0,
"LocalNodeAlias": "10.44.113.88",
"LocalPriObj": "",
"LocalSecObj": "",
"LocalRootObj": "",
"RemoteNodeAlias": "",
"RemotePriObj": "",
"RemoteSecObj": "",
"RemoteRootObj": "",
"X733EventType": 0,
"X733ProbableCause": 0,
"X733SpecificProb": "",
"X733CorrNotif": "",
"ServerName": " AGG_P",
"ServerSerial": 25230712,
"DELETEDAT": "2015-01-01T01:06:22",
"ACKOWNERUID": 0,
"ALERTCATEGORY": "0",
"CIRCUIT": "BBEU07581255",
"DESCRIPTION": "A device is not responding to ICMP ping monitoring",
"EVENTCATEGORY": "1",
"EVENTOWNERGID": 0,
"EVENTSUBCATEGORYONE": "1",
"EVENTSUBCATEGORYTWO": "1",
"ITMDISPLAYITEM": "",
"ITMSITFORMULA": "",
"ITMSITTYPE": "S",
"LINEID": "",
"PARTYID": "0",
"TICKETID": 0,
"TIMEESCL": "1970-01-01T01:00:00",
"TIMEFIRSTACK": "1970-01-01T01:00:00",
"TIMEJOURN": "1970-01-01T01:00:00",
"TIMELASTACK": "1970-01-01T01:00:00",
"TIMETICKET": "1970-01-01T01:00:00",
"CUSTOMERTIER": "0",
"CUSTOMERSCORE": "0",
"EVENTPRIORITY": "93",
"EVENTORIGIN": "1",
"TIMECLEAR": "2015-01-01T00:05:15",
"CIRCUITTYPE": "ADSL",
"SNDCCLASSNAME": "cmdb_ci_ip_router",
"SNDCMESSINASHORTNAME": "RNIBA",
"SNDCSYSID": "de16ced88712e004055fe5b8c9434d54",
"MANUFACTURER": "Cisco",
"CUSTOMERALIASNAME": "Paper St - ADSL [CIRCUITID:MKVL435293]",
"SNDCMESSINAOAID": "1191313",
"SNDCACCESSROUTER": "",
"SNDCACCESSROUTERPORT": "",
"SNDCBEARER": "",
"SNDCINSTALLNUMBER": "01509269339 ",
"SNDCDSLCARETYPE": "Enhanced",
"TICKETREF": "",
"TELCO": "ACME Telecom",
"SERVICEAFFECTING": "0",
"CUSTOMERREFERENCE": "UK-RNIBA",
"TIMEEVENTOWNERGID": "1970-01-01T01:00:00",
"TICKETREFLAST": "",
"SUPPORTSEGMENT": "2",
"NETWORKINTERFACE": "",
"URL": "",
"CORRFLAG": "0",
"PARENTCHILD": "0",
"PARENTSERIAL": 0,
"NEWSUMMCOUNT": -1,
"CMSURI": "",
"ENTITYTYPE": "Circuit_ADSL",
"NetcoolEventAction": "insert"
}