Setting up event policies

You can set up event policies to handle a set of events in a specified way. You can determine what events you want the policy to apply to, and select one or more actions to take on those events. For example, you could choose actions to suppress events or to assign runbooks to events.

About this task

To create an event policy:

Procedure

  1. Click Policies on the IBM® Cloud App Management Administration page.
  2. Click Create event policy.
  3. Enter a name and a description for the policy in Details.
  4. Specify what events you want the policy to apply to in Events. You can specify to have all events considered for the policy actions by clicking All events, or you can configure what conditions the events have to meet before the actions are applied to them by clicking Specify conditions.
    Tip: When selecting Specify conditions, you can join multiple conditions using the AND and OR operators. You can also use the example conditions provided by clicking Use example. To view the examples, expand Information and examples > Show examples. In addition, you can select from a list of predefined conditions to use by clicking Add predefined condition.
  5. Optional: When selecting Specify conditions, you can check to see how many events would have matched the conditions you set. Go to the end of the Events section, select the number of days between 1 and 30, and click Test. The result shows how many events would have matched the policy conditions.
    Click Show results to view a list of all the events that would have matched the conditions in the set time. Click New test to change the time frame for testing, or if you changed conditions and want to check again for matching events.
    Note: If your event policy enriches fields used by the conditions of your policy, you might not find any matching events after the policy is enabled and applied.
  6. Go to the Action section, and set what actions you want the policy to take against the events.
    • Enrich: Change existing event information or add new information to the event.
      Tip: Event enrichment can be used to correlate events into incidents. See example scenario later.
    • Suppress: Set whether all events specified in the previous step are suppressed, or only in case a specified number of them occur within a set time frame. Suppressing events stop them from forming an incident or becoming part of existing incidents.
    • Assign runbooks: Specify which runbooks are available to run against the specified events.
      Important: To assign runbooks, ensure you have runbooks that are published to make them available to event policies. For more information, see Managing runbooks.

      Runbooks can be run manually or automatically. When assigning manual runbooks, you can set whether you want parameter values for the runbook to be taken from the event, entered manually, or specified at runtime. Automatic runbooks contain only automated steps and you must select the Automatically run this runbook check box when assigning the runbook to events in the event policy. Automatic runbooks can only take parameter values from the events or if you provide them when setting up the policy. Ensure you select From event or Manual input for the parameter settings, and set the appropriate values.

    • Detect flapping: Mark events that close and reopen rapidly as flapping events. Flapping events point to recurring problems, and are noted in the incident Events tab with the Icon indicating flapping with down and up arrows Event is flapping icon to highlight the condition. When an incident contains flapping events, it cannot be resolved automatically until the events stop flapping, even if all other events that form part of the incident are cleared. This is to ensure that the root cause of any flapping event is investigated and rectified before the incident can be declared as resolved. If a user tries to manually set an incident with flapping events to resolved, they are warned that flapping events might cause the incident to reopen.
      Tip: Cloud Event Management provides a built-in event policy called Global flapping detection to identify flapping events. The policy detects events that clear and reopen 4 or more times in an hour, and marks them as flapping. If these events stop changing states for more than 30 minutes, they are no longer considered to be flapping. This policy applies to all events and is enabled by default. To view this policy, go to the Cloud Event Management Administration page, click Policies, and ensure you are on the Event policy tab. Look for Global flapping detection in the list of event policies. You can use the built-in flapping policy to detect flapping events, or set up your own as described in the example scenario later.
    • Forward events: The event will not create an incident in Cloud Event Management, but instead will be forwarded to the specified integration. Note, when event forwarding is enabled, Suppress, Assign runbook, and Detect flapping actions will not be applied to the event.

    See the scenarios later for examples of using these actions to set up different policies against events.

  7. Set Enable to On to start using the policy. The policy might take up to 30 seconds to become active and its settings to take effect.
  8. Click Save. You are returned to the list of event policies.
  9. You can set the order in which your policies are applied. Using the Menu overflow Menu overflow, you can move any selected policy up or down the list, or move it to the top or bottom. The numbering determines the ranking with 1 being the highest priority.