Attribute mapping between event management and Humio

Learn about the relationship between Netcool® Operations Insight® attributes and incoming Humio event fields.

Table 1. Attribute mapping
Event Attributes Humio Placeholders Incoming Humio Event Fields Examples in payload
resource.name   events.name "anacron", "systemd". Syslog programname
resource.hostname   events.host

"ubuntu18-dev11"

If invalid format, set to "unknown resource"

resource.ipaddress   events.host If events.host is a valid IP address, then set to resource.ipaddress
resource.type     Server, if syslogtag is not empty.
resource.sourceId   events.pid 24719
resource.service   events.facility "cron", "daemon"
type.eventType {alert_name} alert.name "RSyslog Event"
type.statusOrThreshold {query_string} alert.query.queryString #type=syslog-utc | severity!=info
summary   events.message

Normal exit (0 jobs run)

Anacron 2.3 started on 2020-07-21

Job `cron.daily' terminated

severity   events.severity

If the severity is not defined in the Humio alert description field, Netcool Operations Insight sets the severity according to the Syslogd Probe default rules file. For more information, see Syslogd Prob.

timestamp   events.@timestamp 1595227508103
urls.url {url} linkURL  
urls.description     URL to open Humio with the alert’s query
sender.name     "Humio"
sender.type     "Humio"
sender.service     events.name
details.event   JSON.stringing (events) Stringify each event in events for the related event.
details.alert   JSON.stringing (alert) Exclude the events.