You can change event data using the enrich action in the event policy. Changing specific
information provided by events can help address issues more efficiently in some
scenarios.
About this task
For example, you might not always have control over the severity level of the events generated by
the monitoring tool. In some cases you might want to change the actual severity of the problem.
You could have a monitoring tool that generates a warning event when high CPU usage is detected.
The event has a severity level of Major. You cannot change how the monitoring tool sets the
severity. However, you might want the severity for such issues to be increased to Critical to ensure
that the underlying issue receives the right attention before it causes other problems. Using the
enrich action, you can set up an event policy that changes the severity of such events to
Critical.
To set up this policy:
Procedure
-
Click Policies on the IBM® Cloud App
Management
Administration page.
-
Click Create event policy.
-
Go to Details and enter a name in Policy name,
for example,
Change severity for high CPU usage events
. You can also add an
explanation of the policy in Description to help you and others understand
the purpose of the policy, for example, Change severity level for high CPU events to
critical to ensure they receive prompt attention.
-
Click Specify conditions in Events, and set the
following conditions:
-
Set Condition 1 as follows: select Sender type
from the list of attributes, select is from the list of operators, and enter
the name of the monitoring tool in the field, for example, Datadog.
Tip: If you have more than one instance set up for the same monitoring tool, and you
only want to enrich events from one of them, you can use the Sender display
name instead. The Sender display name value is mapped to the name
provided in the IBM Cloud App
Management UI when setting up
the integration with the event source.
Note: This is an example. The attribute values depend on your event
source. When creating similar policies, check the values from your events to ensure you set the
correct value.
-
Ensure you have AND set and click Add
condition.
-
Set Condition 2 as follows: select Event Type
from the list of attributes, select is from the list of operators, and enter
CPU_HIGH in the field.
Note: This is an example. The attribute values depend on your event
source. When creating similar policies, check the values from your events to ensure you set the
correct value.
-
Ensure you have AND set again and click Add
condition.
-
Set Condition 3 as follows: select Severity from
the list of attributes, select is from the list of operators, and select
Major.
- Optional:
When selecting Specify conditions, you can check to see how many events
would have matched the conditions you set. Go to the end of the Events
section, select the number of days between 1 and 30, and click Test. The
result shows how many events would have matched the policy conditions.
Click
Show results to view a list of all the events that would have matched the
conditions in the set time. Click New test to change the time frame for
testing, or if you changed conditions and want to check again for matching events.
Note: If your event policy enriches fields used by the conditions of your policy, you might not find
any matching events after the policy is enabled and applied.
-
Select the Enrich check box in Action, and expand
the section.
-
Select Severity from the list of attributes, and then
Critical from the Select severity list.
-
Set Enable to On to start
using the policy. The policy might take up to 30 seconds to become active and its settings to take
effect.
-
Click Save.
Results
When events match the set conditions, the severity value is changed to Critical.