Configuring the Humio alert description field
You can use the Humio alert description field to provide attributes for the event
management API. For example, you can specify severity=Major
in the description
field so that all events triggered by that alert have a severity of major in event management.
summary=\"A problem on the host myhost.com\" severity=Critical resource.hostname=myhost.com
Event management event payload | Type | Expected format in Humio alert description field | Examples/notes |
---|---|---|---|
resource sender | object |
resource.name resource.application resource.cluster resource.components resource.controller resource.correlationKey resource.displayName resource.displayName resource.hostname resource.interface resource.ipaddress resource.location resource.port resource.service resource.sourceId resource.type |
resource.name=\"new name\" |
severity | string | severity | severity=Major Allowable values:
|
summary | string | summary | summary=\The summary of issue\ |
type | object | type.eventType type.statusOrThreshold |
type.eventType=\"alert name\" |
deduplicationKey | string | deduplication | deduplicationKey=dedupKey |
details | object | details.<sample> | details.additionalDetails=\Additional information about the alert\ |
expiryTime | integer | expiryTime | expiryTime=60, means expiring in 60 seconds |
relatedResources | array |
relatedResources.#.name relatedResources.#.application relatedResources.#.cluster relatedResources.#.component relatedResources.#.controller relatedResources.#.correlationKey relatedResources.#.displayName relatedResources.#.hostname relatedResources.#.interface relatedResources.#.ipaddress relatedResources.#.location relatedResources.#.hostname relatedResources.#.location relatedResources.#.port relatedResources.#.relationship relatedResources.#.service relatedResources.#.sourceId relatedResources.#.type |
The hash tag #refers to the numbering. All fields with the same numbering are grouped together under one relatedResouces object in event management. Examples:
|
resolution | boolean | resolution | resolution=true |
timestamp | integer | timestamp | timestamp=1595402850247 |
urls | array | urls.#.url urls.#.description |
The hash tag #refers to the numbering. All fields with the same numbering are grouped together under one urls object in event management. Examples:
|
The description of each payload attribute is available in the Event Management Event API.
The following two scenarios show how this feature might be used.
Scenario 1: Expire the Humio informational events in event management
Use the expiryTime
attribute to specify the expiry time in seconds to expire the
events.
For example, specify expiryTime=3600
in the Humio alert description field to
expire the events in event management after 3600 seconds (1 hour).
Scenario 2: Deduplicate problem and resolution events in event management
The resource bundle and eventType must be the same in event management to deduplicate Humio
problem and resolution events. In event management, the eventType
is populated with
the Humio alert name. If the Humio alert name is not the same, you can modify in the Humio alert
description field in Humio.
eventType
in both alert descriptions. See the following examples:
Humio alert name | Function |
---|---|
Monitor problems in host 123. | To query the logs that contain problems in host 123. |
Monitor resolutions in host 123. | To query the logs that contain resolutions in host 123. |
eventType
value in both alert description fields. For example,
specify type.eventType=\"monitor logs in host 123\"
in both alert description
fields in Humio. These events will then be deduplicated and cleared automatically in event
management.