Configuring the Humio alert description field

You can use the Humio alert description field to provide attributes for the event management API. For example, you can specify severity=Major in the description field so that all events triggered by that alert have a severity of major in event management.

The table in this section shows the configurable event management payload attributes. Multiple fields can be populated and separated by a space, as in the following example:
summary=\"A problem on the host myhost.com\" severity=Critical resource.hostname=myhost.com
Table 1. Configurable event management payload attributes
Event management event payload Type Expected format in Humio alert description field Examples/notes
resource sender object

resource.name

resource.application

resource.cluster

resource.components

resource.controller

resource.correlationKey

resource.displayName

resource.displayName

resource.hostname

resource.interface

resource.ipaddress

resource.location

resource.port

resource.service

resource.sourceId

resource.type

resource.name=\"new name\"
severity string severity severity=Major
Allowable values:
  • Critical
  • Major
  • Minor
  • Information
  • Indeterminate
summary string summary summary=\The summary of issue\
type object type.eventType

type.statusOrThreshold

type.eventType=\"alert name\"
deduplicationKey string deduplication deduplicationKey=dedupKey
details object details.<sample> details.additionalDetails=\Additional information about the alert\
expiryTime integer expiryTime expiryTime=60, means expiring in 60 seconds
relatedResources array

relatedResources.#.name

relatedResources.#.application

relatedResources.#.cluster

relatedResources.#.component

relatedResources.#.controller

relatedResources.#.correlationKey

relatedResources.#.displayName

relatedResources.#.hostname

relatedResources.#.interface

relatedResources.#.ipaddress

relatedResources.#.location

relatedResources.#.hostname

relatedResources.#.location

relatedResources.#.port

relatedResources.#.relationship

relatedResources.#.service

relatedResources.#.sourceId

relatedResources.#.type

The hash tag # refers to the numbering. All fields with the same numbering are grouped together under one relatedResouces object in event management.
Examples:
  • relatedResources.1.name=related resource name 1
  • relatedResources.2.name=related resources name 2
resolution boolean resolution resolution=true
timestamp integer timestamp timestamp=1595402850247
urls array urls.#.url

urls.#.description

The hash tag # refers to the numbering. All fields with the same numbering are grouped together under one urls object in event management.
Examples:
  • urls.1.url=https://www.bluemix.net
  • urls.1.description=\"blumix url\"

The description of each payload attribute is available in the Event Management Event API.

The following two scenarios show how this feature might be used.

Scenario 1: Expire the Humio informational events in event management

Use the expiryTime attribute to specify the expiry time in seconds to expire the events.

For example, specify expiryTime=3600 in the Humio alert description field to expire the events in event management after 3600 seconds (1 hour).

Scenario 2: Deduplicate problem and resolution events in event management

The resource bundle and eventType must be the same in event management to deduplicate Humio problem and resolution events. In event management, the eventType is populated with the Humio alert name. If the Humio alert name is not the same, you can modify in the Humio alert description field in Humio.

In this example, lets create two alerts with two different alert names to retrieve the problem and resolution logs for the same resource in Humio. Then, we must define the same eventType in both alert descriptions. See the following examples:
Table 2. Deduplicate problem and resolution events
Humio alert name Function
Monitor problems in host 123. To query the logs that contain problems in host 123.
Monitor resolutions in host 123. To query the logs that contain resolutions in host 123.
The 2 alerts are monitoring problem and resolution events in host 123. Now, we need to define the same eventType value in both alert description fields. For example, specify type.eventType=\"monitor logs in host 123\" in both alert description fields in Humio. These events will then be deduplicated and cleared automatically in event management.