Configuring the Humio alert description field
You can use the Humio alert description field to provide attributes for the event management API. For example, you can specify severity=Major in the description field so that all events triggered by that alert have a severity of major in event management.
The table in this section shows the configurable event management payload attributes. Multiple fields can be populated and separated by a space, as in the following example:
summary=\"A problem on the host myhost.com\" severity=Critical resource.hostname=myhost.com
| Event management event payload | Type | Expected format in Humio alert description field | Examples/notes | |
|---|---|---|---|---|
| resource sender | object | resource.name resource.application resource.cluster resource.components resource.controller resource.correlationKey resource.displayName resource.displayName resource.hostname resource.interface resource.ipaddress resource.location resource.port resource.service resource.sourceId resource.type |
resource.name=\"new name\" | |
| severity | string | severity | severity=Major Allowable values: - Critical - Major - Minor - Information - Indeterminate |
|
| summary | string | summary | summary=The summary of issue |
|
| type | object | type.eventType type.statusOrThreshold |
type.eventType=alert name |
|
| deduplicationKey | string | deduplication | deduplicationKey=dedupKey | |
| details | object | details.
|
details.additionalDetails=Additional information about the alert |
|
| expiryTime | integer | expiryTime | expiryTime=60, means expiring in 60 seconds | |
| relatedResources | array | urls.#.url urls.#.description |
relatedResources.#.name relatedResources.#.application relatedResources.#.cluster relatedResources.#.component relatedResources.#.controller relatedResources.#.correlationKey relatedResources.#.displayName relatedResources.#.hostname relatedResources.#.interface relatedResources.#.ipaddress relatedResources.#.location relatedResources.#.hostname relatedResources.#.location relatedResources.#.port relatedResources.#.relationship relatedResources.#.service relatedResources.#.sourceId relatedResources.#.type |
The hash tag #refers to the numbering. All fields with the same numbering are grouped together under one urls object in event management. Examples: urls.1.url=https://www.bluemix.net urls.1.description= blumix url |
| resolution | boolean | resolution | resolution=true | |
| timestamp | integer | timestamp | timestamp=1595402850247 | |
| urls | array | urls.#.url urls.#.description |
The hash tag #refers to the numbering. All fields with the same numbering are grouped together under one urls object in event management. Examples: urls.1.url=https://www.bluemix.net urls.1.description= blumix url |
The description of each payload attribute is available in the Event Management Event API.
The following two scenarios show how this feature might be used.
Scenario 1: Expire the Humio informational events in event management
Use the expiryTime attribute to specify the expiry time in seconds to expire the events.
For example, specify expiryTime=3600 in the Humio alert description field to expire the events in event management after 3600 seconds (1 hour).
Scenario 2: Deduplicate problem and resolution events in event management
The resource bundle and eventType must be the same in event management to deduplicate Humio problem and resolution events. In event management, the eventType is populated with the Humio alert name. If the Humio alert name is not the same, you can modify in the Humio alert description field in Humio. In this example, lets create two alerts with two different alert names to retrieve the problem and resolution logs for the same resource in Humio. Then, we must define the same eventType in both alert descriptions. See the following examples:
| Humio alert name | Function |
|---|---|
| Monitor problems in host 123. | To query the logs that contain problems in host 123. |
| Monitor resolutions in host 123. | To query the logs that contain resolutions in host 123. |
The 2 alerts are monitoring problem and resolution events in host 123. Now, we need to define the same eventType value in both alert description fields. For example, specify type.eventType=monitor logs in host 123
in both
alert description fields in Humio. These events will then be deduplicated and cleared automatically in event management.