Attribute mapping between event management and Humio

The table in this section defines the relationship between Netcool® Operations Insight® attributes and incoming Humio event fields.

Table 1. Attribute mapping
Event Attributes Humio Placeholders Incoming Humio Event Fields Examples in payload
resource.name   events.name "anacron", "systemd". Syslog programname
resource.hostname   events.host

"ubuntu18-dev11"

If invalid format, set to "unknown resource"

resource.ipaddress   events.host If events.host is a valid IP address, then set to resource.ipaddress
resource.type     Server, if syslogtag is not empty
resource.sourceId   events.pid 24719
resource.service   events.facility "cron", "daemon"
type.eventType {alert_name} alert.name "RSyslog Event"
type.statusOrThreshold {query_string} alert.query.queryString #type=syslog-utc | severity!=info
summary   events.message

Normal exit (0 jobs run)

Anacron 2.3 started on 2020-07-21

Job `cron.daily' terminated

severity   events.severity

If the severity is not defined in the Humio alert description field, Netcool Operations Insight will set the severity according to the Syslogd Probe default rules file. For more information, see Syslogd Prob.

timestamp   events.@timestamp 1595227508103
urls.url {url} linkURL  
urls.description     URL to open Humio with the alert’s query
sender.name     "Humio"
sender.type     "Humio"
sender.service     events.name
details.event   JSON.stringing (events) Stringify each event in events for the related event
details.alert   JSON.stringing (alert) Exclude the events