Configuring the Humio alert description field
You can use the Humio alert description field to provide attributes for the event
management API. For example, you can specify severity=Major
in the description
field so that all events, which are triggered by that alert, have a severity of major in event
management.
summary=\"A problem on the host myhost.com\" severity=Critical resource.hostname=myhost.com
Event management event payload | Type | Expected format in Humio alert description field | Examples or notes |
---|---|---|---|
resource sender |
object |
|
resource.name=\"new name\" |
severity |
string | severity |
severity=Major Allowable values:
|
summary |
string | summary |
summary=\ |
type |
object |
|
type.eventType=\"alert name\" |
deduplicationKey |
string | deduplication |
deduplicationKey=dedupKey |
details |
object | details.<sample> |
details.additionalDetails=\ |
expiryTime |
integer | expiryTime |
expiryTime=60 means to expire in 60 seconds |
relatedResources |
array |
|
The hashtag refers to the numbering. All fields with the same
numbering are grouped under one relatedResouces object in event management. Examples:
|
resolution |
Boolean | resolution |
resolution=true |
timestamp |
integer | timestamp |
timestamp=1595402850247 |
urls |
array |
|
The hashtag refers to the numbering. All fields with the same
numbering are grouped under one urls object in event management. Examples:
|
The description of each payload attribute is available in the Event Management Event API.
The following two scenarios explain how this feature might be used.
Scenario 1: Expire the Humio informational events in event management
Use the expiryTime
attribute to specify the expiry time in seconds to expire the
events.
For example, specify expiryTime=3600
in the Humio alert description field to
expire the events in event management after 3600 seconds (1 hour).
Scenario 2: Deduplicate problem and resolution events in event management
The resource bundle and eventType must be the same in event management to deduplicate Humio
problem and resolution events. In event management, the eventType
is populated with
the Humio alert name. If the Humio alert name is not the same, you can modify it in the Humio alert
description field in Humio.
eventType
in
both alert descriptions. See the following examples:
Humio alert name | Function |
---|---|
Monitor problems in host 123. | To query the logs that contain problems in host 123. |
Monitor resolutions in host 123. | To query the logs that contain resolutions in host 123. |
eventType
value in both alert description fields. For example, specify
type.eventType=\"monitor logs in host 123\"
in both alert description fields in
Humio. These events are then deduplicated and cleared automatically in event management.