Configuring the Humio alert description field

You can use the Humio alert description field to provide attributes for the event management API. For example, you can specify severity=Major in the description field so that all events, which are triggered by that alert, have a severity of major in event management.

This table shows the event management payload attributes that can be configured. Multiple fields can be populated and separated by a space, as in the following example:
summary=\"A problem on the host myhost.com\" severity=Critical resource.hostname=myhost.com
Table 1. Configurable event management payload attributes
Event management event payload Type Expected format in Humio alert description field Examples or notes
resource sender object

resource.name

resource.application

resource.cluster

resource.components

resource.controller

resource.correlationKey

resource.displayName

resource.displayName

resource.hostname

resource.interface

resource.ipaddress

resource.location

resource.port

resource.service

resource.sourceId

resource.type

resource.name=\"new name\"
severity string severity severity=Major
Allowable values:
  • Critical
  • Major
  • Minor
  • Information
  • Indeterminate
summary string summary summary=\The summary of issue\
type object

type.eventType

type.statusOrThreshold

type.eventType=\"alert name\"
deduplicationKey string deduplication deduplicationKey=dedupKey
details object details.<sample> details.additionalDetails=\Additional information about the alert\
expiryTime integer expiryTime expiryTime=60 means to expire in 60 seconds
relatedResources array

relatedResources.#.name

relatedResources.#.application

relatedResources.#.cluster

relatedResources.#.component

relatedResources.#.controller

relatedResources.#.correlationKey

relatedResources.#.displayName

relatedResources.#.hostname

relatedResources.#.interface

relatedResources.#.ipaddress

relatedResources.#.location

relatedResources.#.hostname

relatedResources.#.location

relatedResources.#.port

relatedResources.#.relationship

relatedResources.#.service

relatedResources.#.sourceId

relatedResources.#.type

The hashtag # refers to the numbering. All fields with the same numbering are grouped under one relatedResouces object in event management.
Examples:
  • relatedResources.1.name=related resource name 1
  • relatedResources.2.name=related resources name 2
resolution Boolean resolution resolution=true
timestamp integer timestamp timestamp=1595402850247
urls array

urls.#.url

urls.#.description

The hashtag # refers to the numbering. All fields with the same numbering are grouped under one urls object in event management.
Examples:
  • urls.1.url=https://www.bluemix.net
  • urls.1.description=\"blumix url\"

The description of each payload attribute is available in the Event Management Event API.

The following two scenarios explain how this feature might be used.

Scenario 1: Expire the Humio informational events in event management

Use the expiryTime attribute to specify the expiry time in seconds to expire the events.

For example, specify expiryTime=3600 in the Humio alert description field to expire the events in event management after 3600 seconds (1 hour).

Scenario 2: Deduplicate problem and resolution events in event management

The resource bundle and eventType must be the same in event management to deduplicate Humio problem and resolution events. In event management, the eventType is populated with the Humio alert name. If the Humio alert name is not the same, you can modify it in the Humio alert description field in Humio.

In this example, create two alerts with two different alert names to retrieve the problem and resolution logs for the same resource in Humio. Then, define the same eventType in both alert descriptions. See the following examples:
Table 2. Deduplicate problem and resolution events
Humio alert name Function
Monitor problems in host 123. To query the logs that contain problems in host 123.
Monitor resolutions in host 123. To query the logs that contain resolutions in host 123.
The 2 alerts are monitoring problem and resolution events in host 123. Now, define the same eventType value in both alert description fields. For example, specify type.eventType=\"monitor logs in host 123\" in both alert description fields in Humio. These events are then deduplicated and cleared automatically in event management.