Attribute mapping between event management and Humio

Learn about the relationship between Netcool® Operations Insight® attributes and incoming Humio event fields.

Table 1. Attribute mapping
Event Attributes Humio Placeholders Incoming Humio Event Fields Examples in payload "anacron", "systemd". Syslog programname


If invalid format, set to "unknown resource"

resource.ipaddress If is a valid IP address, then set to resource.ipaddress
resource.type     Server, if syslogtag is not empty.
resource.sourceId 24719
resource.service   events.facility "cron", "daemon"
type.eventType {alert_name} "RSyslog Event"
type.statusOrThreshold {query_string} alert.query.queryString #type=syslog-utc | severity!=info
summary   events.message

Normal exit (0 jobs run)

Anacron 2.3 started on 2020-07-21

Job `cron.daily' terminated

severity   events.severity

If the severity is not defined in the Humio alert description field, Netcool Operations Insight sets the severity according to the Syslogd Probe default rules file. For more information, see Syslogd Prob.

timestamp   events.@timestamp 1595227508103
urls.url {url} linkURL  
urls.description     URL to open Humio with the alert’s query     "Humio"
sender.type     "Humio"
details.event   JSON.stringing (events) Stringify each event in events for the related event.
details.alert   JSON.stringing (alert) Exclude the events.