Example: Enriching event information using lookup tables

Lookup tables use information in your events to determine how to add other fields from external data sources such as CSV files. Event policies can contain multiple lookup tables. Some event fields have more options then others. For instance, you can only replace the attribute Hostname while you can prepend, append, and replace the attribute Summary.

About this task

A basic example would be using the lookup table that we created in Creating lookup tables with application names and a summary update to add summary information to an event. You might have a monitoring tool that sends event data about the applications, but it's not immediately clear which application is affected. Using the enrich action and lookup capability, you can add more detail to the summary, making it more helpful in understanding the issue at a glance.

Lets examine how this lookup table is applied in the following policy example. In Figure 1 the value in the event of the attribute Application (seen in Figure 4) is compared with the value in the column applicationname in Figure 1. If a match is found, in this case in row 3 (highlighted in red), then the value in the summaryupdate column of row 3 will be appended to the Event summary as shown in Figure 2.

Figure 1. Example lookup table criteria
Example lookup table criteria
When events match the conditions the attributes will be modified as specified by the lookup criteria and, in this case, appended to the field.
Figure 2. Enrich via lookup
Enrich via lookup
In this example the summary information -Payroll Application Affected is appended to the summary description field for events related to the Payroll Application.
Figure 3. Resulting enriched event
Resulting enriched event
Figure 4. Resource affected
Resource affected

Procedure

  1. Click Policies on the Cloud Event Management Administration page.
  2. Click Create event policy.
  3. Go to Details and enter a name in Policy name. You can also add an explanation of the policy in Description to help you and others understand the purpose of the policy.
  4. In Events, click All events or click Specify conditions to configure what conditions the events have to meet before the enrichment is applied to them.
  5. Select the Enrich check box under Action.
  6. In the first field, select the event attribute that you are enriching from the list of available attributes.
  7. In the second field, click the drop-down arrow and select lookup.
  8. Click Select lookup criteria and use the drop-down lists to select a value for each field displayed:
    Using table
    Select an existing lookup table from the list available. For more information, see Creating lookup tables.
    Enrich [the target fieldname] from column
    The column that will supply the value to enrich the event attribute when the matches columns row value is the same as the specified event attribute.
    Where event attribute
    The event attribute used to search the table key field (or the matches column).
    matches column
    The column that will be compared with the event attribute to determine the enrichment value from the Enrich from column.
  9. Click Apply.
  10. Set Enable to On to start using the policy. The policy might take up to 30 seconds to become active and its settings to take effect.
  11. Click Save.

Results

When events match the set conditions, the event information will be enriched with the correlated values from the lookup table, as specified by the lookup criteria.