Example: Changing event information through enrichment

You can change event data using the enrich action in the event policy. Changing specific information provided by events can help address issues more efficiently in some scenarios.

About this task

For example, you might not always have control over the severity level of the events generated by the monitoring tool. In some cases you might want to change the actual severity of the problem.

You could have a monitoring tool that generates a warning event when high CPU usage is detected. The event has a severity level of Major. You cannot change how the monitoring tool sets the severity. However, you might want the severity for such issues to be increased to Critical to ensure that the underlying issue receives the right attention before it causes other problems. Using the enrich action, you can set up an event policy that changes the severity of such events to Critical.

To set up this policy:

Procedure

  1. Click Policies on the IBM® Cloud App Management Administration page.
  2. Click Create event policy.
  3. Go to Details and enter a name in Policy name, for example, Change severity for high CPU usage events. You can also add an explanation of the policy in Description to help you and others understand the purpose of the policy, for example, Change severity level for high CPU events to critical to ensure they receive prompt attention.
  4. Click Specify conditions in Events, and set the following conditions:
    1. Set Condition 1 as follows: select Sender type from the list of attributes, select is from the list of operators, and enter the name of the monitoring tool in the field, for example, Datadog.
      Tip: If you have more than one instance set up for the same monitoring tool, and you only want to enrich events from one of them, you can use the Sender display name instead. The Sender display name value is mapped to the name provided in the IBM Cloud App Management UI when setting up the integration with the event source.
      Note: This is an example. The attribute values depend on your event source. When creating similar policies, check the values from your events to ensure you set the correct value.
    2. Ensure you have AND set and click Add condition.
    3. Set Condition 2 as follows: select Event Type from the list of attributes, select is from the list of operators, and enter CPU_HIGH in the field.
      Note: This is an example. The attribute values depend on your event source. When creating similar policies, check the values from your events to ensure you set the correct value.
    4. Ensure you have AND set again and click Add condition.
    5. Set Condition 3 as follows: select Severity from the list of attributes, select is from the list of operators, and select Major.
  5. Optional: When selecting Specify conditions, you can check to see how many events would have matched the conditions you set. Go to the end of the Events section, select the number of days between 1 and 30, and click Test. The result shows how many events would have matched the policy conditions.
    Click Show results to view a list of all the events that would have matched the conditions in the set time. Click New test to change the time frame for testing, or if you changed conditions and want to check again for matching events.
    Note: If your event policy enriches fields used by the conditions of your policy, you might not find any matching events after the policy is enabled and applied.
  6. Select the Enrich check box in Action, and expand the section.
  7. Select Severity from the list of attributes, and then Critical from the Select severity list.
  8. Set Enable to On to start using the policy. The policy might take up to 30 seconds to become active and its settings to take effect.
  9. Click Save.

Results

When events match the set conditions, the severity value is changed to Critical.