Single-event modifier (event-match-single)

Single-event modifier (event-match-single) matches and then modifies exactly one type of event, as specified by the required, case-sensitive EventName parameter.

This entity allows mutation of successful events by changing the device event category, severity, or the method for sending identity events.

When events that match this event name are parsed, the device category, severity, and identity properties are imposed upon the resulting event.

You must set an event-name attribute and this attribute value matches the value of the EventName field. In addition, an event-match-single entity consists of these optional properties:

Table 1. Description of single-event parameters
Parameter Description

device-event-category

A new category for searching for a QID for the event. This parameter is an optimizing parameter because some devices have the same category for all events.

severity

The severity of the event. This parameter must be an integer value 1 - 10.

If a severity of less than 1 or greater than 10 is specified, the system defaults to 5.

If not specified, the default is whatever is found in the QID.

send-identity

Specifies the sending of identity change information from the event. Choose one of the following options:

  • UseDSMResults If the DSM returns an identity event, the event is passed on. If the DSM does not return an identity event, the extension does not create or modify the identity information.

    This option is the default value if no value is specified.

  • SendIfAbsent If the DSM creates identity information, the identity event is passed through unaffected. If no identity event is produced by the DSM, but there is enough information in the event to create an identity event, an event is generated with all the relevant fields set.
  • OverrideAndAlwaysSend Ignores any identity event that is returned by the DSM and creates a new identity event, if there is enough information.
  • OverrideAndNeverSend Suppress any identity information that is returned by the DSM. Suggested option unless you are processing events that you want to go into asset updates.