Configuring event pattern processing

You can configure how patterns are derived from related events by editing properties in the generated NOI Shared Configuration properties file.

Before you begin

In Netcool® Operations Insight® 1.4.1.2 and later (corresponding to Netcool/Impact 7.1.0.13 and later) it is recommended to use the Event Analytics Configuration Wizard instead of the ./nci_trigger command to edit properties in the NOI Shared Configuration properties file.

For more information on the relevant section of the wizard, see Configuring event pattern processing.
Note:
  • You should perform this configuration task prior to running any related events configurations that use the global type properties associated with event pattern creation. It is expected that you will perform this configuration task only when something in your environment changes that affects where type information is found in events.
  • Avoid configuring multiple types for the same event. By default, Identifier is used to identify the same events. This can be overridden, but assuming the default, you should setup the type properties so that events identified by the same Identifier only have one type value. For example, if there are 10 events with Identifier=xxx and you want to use a type=ALERTGROUP then the events should have the same ALERTGROUP. If events for the same Identifier have many alert group values, the first one will be picked.

The default NOI Shared Configuration properties file is divided into sections, where each section contains a number of properties that allow you to instruct how Netcool/Impact handles a variety of operations, such as how it should handle event pattern creation. There are three categories of event pattern creation properties defined in the NOI Shared Configuration properties file:

  • Properties related to configuring which table columns in the Historical Event Database that Netcool/Impact should use in performing the event pattern analysis.
  • Properties related to configuring the default unique event identifier and event type in the Historical Event Database that you want Netcool/Impact to use when there is no match in the event type index related properties.
  • Properties related to configuring one or more event identity and event type indexes.
Table 1 describes the event pattern creation properties defined in the NOI Shared Configuration properties file. Use these descriptions to help you configure the values appropriate for your environment.
Table 1. Event pattern creation properties
Global type Description Example
Properties related to configuring table columns in the Historical Event Database

type.resourcelist

Specifies the name of the table column or columns in the Historical Event Database that Netcool/Impact should use in performing the event pattern analysis.

The NOI Shared Configuration properties file that you generate with the nci_trigger command provides the following default value:

type.resourcelist=NODE
Note: You should use the default value, NODE.

type.servername.column

Specifies the name of the table column in the Historical Event Database that contains the name of the server associated with any particular event that arrives in the Historical Event Database.

The NOI Shared Configuration properties file that you generate with the nci_trigger command provides the following default value:

type.servername.column=
SERVERNAME
Note: You should use the default value, SERVERNAME, where possible.

type.serverserial.column

Specifies the name of the table column in the Historical Event Database that contains the server serial number associated with any particular event that arrives in the Historical Event Database. Note that the server serial number should be unique.

The NOI Shared Configuration properties file that you generate with the nci_trigger command provides the following default value:

type.serverserial.column=
SERVERSERIAL
Note: You should use the default value, SERVERSERIAL, where possible.
Properties related to configuring the default unique event identifier and event type in the Historical Event Database

type.default.eventid

This property contains the database field in the Historical Event Database that you want to specify as the default Event Identity. An Event Identity is a database field that identifies a unique event in the Historical Event Database. When you configure a related events configuration, you select database fields for the Event Identity from a drop-down list of available fields. In the User Interface, you perform this from the Advanced tab when you want to override the settings in the configuration file.

Netcool/Impact uses the database field specified in this property as the default Event Identity when there is no match in the value specified in the type.index.eventid property.

Note: The database field specified for this property should not contain a timestamp component.

The NOI Shared Configuration properties file that you generate with the nci_trigger command provides the following default value:

type.default.eventid=
IDENTIFIER

type.default.eventtype

Specifies the default related events type to use when creating an event pattern to generalize.

Netcool/Impact uses this default related events type when there is no match in thetype.index.eventtype property.

Note: You choose the related events type values based on the fields for which you want to create a generalized pattern. For example, if you want to create a pattern and generalize it based on the EVENTID for an event, you would specify that value in this property.

When the related events configuration completes and you create a pattern for generalization, the pattern generalization screen will contain a drop down menu that lists all of the EVENTIDs found in the Historical Event Database. You can then create a pattern/rule that will be applied to all EVENTIDs selected for that pattern. This means that you can expand the definition of the pattern to include all types, not just the types in the Related Events Group.

The NOI Shared Configuration properties file that you generate with the nci_trigger command provides the following default value:

type.default.eventtype=
EVENTID
Properties related to configuring one or more event identity and event type indexes. You should specify values for each of the properties described in this section.
Note: You can delete any of the additional event types by removing the relevant lines from this file. If the type is already being used in one or more analytics configurations then deleting the type will remove it from those configurations, and the default event type will be used. To ensure your analytics results are valid you should rerun the affected analytics configurations.

type_number_of_type_configurations

Specifies the number of types to use in the NOI Shared Configuration properties file for the global type configuration. There is no limit on how many types you can configure.

The following example specifies two types for the global type configuration:

type_number_of_
type_configurations=2

Thus, you would define the other type.index related properties as follows. Note that the index numbering starts with 0 (zero).

type.0.eventid=Identifier
type.0.eventtype=ACMEType
type.0.filterclause=
Vendor='ACME'
type.0.osfilterclause=
Vendor='ACME'
type.0.typename=Vendor = Type0
type.1.eventid=SUMMARY,
NODE
type.1.eventtype=
TAURUSType
type.1.filterclause=
Vendor = 'TAURUS'
type.1.osfilterclause=
Vendor = 'TAURUS'
type.1.typename=Vendor = Type1

type.index.eventid

Specifies the database field in the Historical Event Database that you want to specify as the Event Identity. Multiple fields are separated by commas.

The following shows an example of a database field used as the Event Identity:

type.0.eventid=SUMMARY

The following shows an example of multiple database fields used as the Event Identity:

type.0.eventid=NODE,
SUMMARY, ALERTGROUP

type.index.eventtype

Specifies the event type to return for pattern generalization.

Note: The returned event types display in the event type drop down menu in the pattern generalization screen.

The following example shows an event type to return for pattern generalization:

type.0.eventtype=EVENTID

type.index.filterclause

Specifies an Historical Event Database filter that defines a set of events. For the set of events defined by this filter, the event type will be found in the table column or columns in the type.index.eventtype property.

Note: It is recommended that you create one or more database indexes on the reporter status table for the fields used in the type.index.filterclause to speed up the query.
type.0.filterclause=
Vendor = 'ACME'

type.index.osfilterclause

Specifies an ObjectServer filter to filter matching event types.

Note: The filter that you specify for the type.index.osfilterclause property should be semantically identical to the filter that you specify for the type.index.filterclause property, except for this property you use the ObjectServer syntax.
type.0.osfilterclause=
Vendor = 'ACME'
Draft comment: posnerke@uk.ibm.com
KJP Feb 2020 RTC 69798

type.index.typename

Specifies a user-defined name for this event type. The name should be easily understandable as it will be used later to identify this event type when associating specific event types with an event analytics configuration.
Note: You can rename any of the additional event types by modifying the relevant type.index.typename value. If the type is already being used in one or more analytics configurations then renaming the type will remove it from those configurations. You must then manually add the newly name type to each of the affected analytics configurations. To ensure your analytics results are fully synchronized you must rerun the affected analytics configurations.
type.0.typename=
Type0

About this task

To configure the event pattern creation properties that Netcool/Impact uses for generalization, you must modify the default NOI Shared Configuration properties file in the <Impact_install_location>/bin directory.

Procedure

  1. Log in to the server where IBM® Tivoli® Netcool/Impact is stored and running.
  2. Generate a properties file containing the latest Event Analytics system settings.
    1. Navigate to the directory $IMPACT_HOME/bin.
    2. Run the following command to generate a properties file containing the latest Event Analytics system settings.
      nci_trigger server_name username/password NOI_DefaultValues_Export
       FILENAME directory/filename
      Where:
      • server_name is the name of the server where Event Analytics is installed.
      • user name is the user name of the Event Analytics user.
      • password is the password of the Event Analytics user.
      • NOI_DefaultValues_Export is a Netcool/Impact policy that performs an export of the current Event Analytics system settings to a designated properties file.
      • directory is the directory where the properties file is stored.
      • filename is the name of the properties file.
      For example:
      nci_trigger NCI impactadmin/impactpass NOI_DefaultValues_Export
       FILENAME /tmp/properties.props
  3. Go to the directory where you generated the NOI Shared Configuration properties file and open it for editing.
  4. Create a backup copy of the generated NOI Shared Configuration properties file.
  5. Using the editor of your choice open the generated NOI Shared Configuration properties file for editing.
  6. Using the information about the event pattern creation properties described in Table 1, specify values appropriate to your environment. Remember that the following properties have default values that you should not change:
    • type.resourcelist
    • type.servername.column
    • type.serverserial.column
  7. After specifying appropriate values to the event pattern creation properties, write and then quit the NOI Shared Configuration properties file.
  8. Import the modified properties file into Event Analytics.
    1. Ensure you are in the directory $IMPACT_HOME/bin.
    2. Run the following command to perform an import of Event Analytics system settings from a designated properties file.
      nci_trigger server_name username/password NOI_DefaultValues_Configure
       FILENAME directory/filename
      Where:
      • server_name is the name of the server where Event Analytics is installed.
      • user name is the user name of the Event Analytics user.
      • password is the password of the Event Analytics user.
      • NOI_DefaultValues_Configure is a Netcool/Impact policy that performs an import of Event Analytics system settings from a designated properties file.
      • directory is the directory where the properties file is stored.
      • filename is the name of the properties file.
      For example:
      nci_trigger NCI impactadmin/impactpass NOI_DefaultValues_Configure
       FILENAME /tmp/properties.props

Example

The following example sets the Event Identity, defines a set of events, and finds the type information in the specified table column or columns in the Historical Event Database:

type_number_of_type_configurations=1
type.0.eventid=NODE,SUMMARY,ALERTGROUP
type.0.eventtype=ACMEType
type.0.filterclause=( Vendor = 'ACME' )
type.0.osfilterclause=Vendor = 'ACME'

More specifically, the examples shows that if there is an event and the value for Vendor for that event is ACME, then look in the table column called ACMEType to find the event type.

The following example expands on the previous example by showing two configurations (as indicated by the value 2 in the type_number_of_type_configurations property:

Draft comment: posnerke@uk.ibm.com
KJP Feb 2020 RTC 69798
type_number_of_type_configurations=2
type.0.eventid=NODE
type.0.eventtype=ACMEType
type.0.filterclause=( Vendor = 'ACME' )
type.0.osfilterclause=Vendor = 'ACME'
type.0.typename=Vendor = Type0
type.1.eventid=NODE,SUMMARY,ALERTGROUP
type.1.eventtype=TAURUSType
type.1.filterclause=( Vendor = 'TAURUS' )
type.1.osfilterclause=Vendor = 'TAURUS'
type.1.typename=Vendor = Type1
Note: Netcool/Impact attempts to match each event to the filter defined in configuration 0 first. If the event matches the filter defined in configuration 0, then Netcool/Impact defines the event's type as defined in the filter. If the event does not match the filter defined in configuration 0, Netcool/Impact attempts to match the event to the filter defined in configuration 1. If the event matches the filter defined in configuration 1, then Netcool/Impact defines the event's type as defined in the filter. Netcool/Impact continues this processing sequence for as many configuration types you define.

If no events match the filters defined in the defined configuration types you define, Netcool/Impact uses the default configuration to determine where type and identity are to be found.