Quick reference for event enrichment
Use this information to understand how an event is processed as it passes through the Event Gateway.
The steps are described in the following table.
Action | Further information | Data passed to next step |
---|---|---|
1. An event is received from the ObjectServer and the incoming event filter is applied to the event. The default
filter checks the LocalNodeAlias field of the event. If the LocalNodeAlias
field is not empty, then the event passes the filter and moves to
Step 3.
Note: The LocalNodeAlias field usually contains data that points
to the main node device on which the event occurred. The precise data
held by the LocalNodeAlias field varies, and can include the following:
|
Event |
|
2. The Event Gateway assigns a state to the event based on the Severity and Tally fields in the event. This event state is an internal Event Gateway representation and is used later by the plug-ins as part of the event subscription mechanism. |
Event Event state |
|
3. The incoming field filter is applied to the event. This field filter filters out alerts.status fields that do not participate in the Event Gateway processing. |
Event with filtered fields Event state |
|
4. The Event Gateway determines how to handle this event, by determining which event map to use. Event maps define how to handle an event. At the same time a numerical precedence value is associated with an event. This precedence value is used by the RCA plugin in cases where there are multiple events on the same entity. The event with the highest precedence value on the entity is used to suppress other events. |
Event with filtered fields Event state Event map fields, such as event map name and event enrichment stitcher Precedence value |
|
5. The Event Gateway determines the entity ID of the Network Manager server or of the ingress interface, the interface within the discovery scope from which network packets are transmitted to and from the Network Manager server. This value is used by the RCA plug-in to perform isolated suppression. |
Event with filtered fields Event state Event map fields, such as event map name and event enrichment stitcher Precedence value PollerEntityId |
|
6. The Event Gateway performs a topology lookup to retrieve entity data associated with this event, and then enriches the event using some of this entity data. To perform the topology lookup and event enrichment, the Event Gateway calls the stitcher defined in the event map. |
To Steps 8 and Step 9 Event with filtered fields and enriched fields Event state Precedence value PollerEntityId Return value from stitcher |
|
7. The outgoing field filter is applied to the event. This filter only passes the fields enriched by the Event Gateway, and in particular, by the GwEnrichEvent stitcher rule. The enriched fields are placed on the Event Gateway queue, from where the data is sent to the ObjectServer at a configurable interval (default is 5 seconds). |
Fields enriched by Event Gateway |
|
8. Based on the return value from the stitcher
defined in the event map (Step 7), the Event Gateway determines whether
to send the enriched event to the plug-ins.
|
Event with filtered fields and enriched fields Event state Event map name Precedence value PollerEntityId |
|
9. Each plug-in determines whether it is interested in the enriched event. It does this based on the event map name and the event state. The plug-ins that are interested in the event perform further event enrichment or take other action. |
Event with filtered fields and enriched fields |
|
10. On completion of processing, the enriched fields are placed on the Event Gateway queue, from where the data is sent to the ObjectServer at a configurable interval (default is 5 seconds). |
To ObjectServer Fields enriched by plug-ins |