Attribute mapping between event management and Humio
The table in this section defines the relationship between event management attributes and incoming Humio event fields.
| Event Attributes | Humio Placeholders | Incoming Humio Event Fields | Examples in payload |
|---|---|---|---|
| resource.name | events.name | anacron, systemd. Syslog programname |
|
| resource.hostname | events.host | ubuntu18-dev11 If invalid format, set to unknown resource |
|
| resource.ipaddress | events.host | If events.host is a valid IP address, then set to resource.ipaddress | |
| resource.type | Server, if syslogtag is not empty | ||
| resource.sourceId | events.pid | 24719 | |
| resource.service | events.facility | cron, daemon |
|
| type.eventType | {alert_name} | alert.name | RSyslog Event |
| type.statusOrThreshold | {query_string} | alert.query.queryString | #type=syslog-utc | severity!=info |
| summary | events.message | Normal exit (0 jobs run) Anacron 2.3 started on 2020-07-21 Job |
|
| severity | events.severity | If the severity is not defined in the Humio alert description field, Event Management will set the severity according to the Syslogd Probe default rules file. For more information, see Syslogd Prob. | |
| timestamp | events.@timestamp | 1595227508103 | |
| urls.url | {url} | linkURL | |
| urls.description | URL to open Humio with the query of the alert |
||
| sender.name | Humio |
||
| sender.type | Humio |
||
| sender.service | events.name | ||
| details.event | JSON.stringing (events) | Stringify each event in events for the related event | |
| details.alert | JSON.stringing (alert) | Exclude the events |