DX Infrastructure Manager

 alarm_enrichment lookup_by_alarm_field valid fields

posted 05-04-2021 02:44 PM
I am setting up alarm_enrichment to pull data from both the UIM database, as well as from an external CMDB.

For remote monitoring (like pinging servers with net_connect), using 'lookup_by_alarm_field = robot' is enriching based on the robot doing the monitoring, rather than the host being monitored.

In the alarm_enrichment rules, I changed 'lookup_by_alarm_field = robot' to 'lookup_by_alarm_field = hostname', but now alarms are not being enriched at all (I have also tried source).

Are hostname and/or source valid lookup fields in the lookup_by_alarms_field key?
There is no hostname field in the alarm messages as they cross the message bus. That field is added to alarms in the NAS when they are created from incoming messages. Because the alarm_enrichment probe gets the messages before the NAS processes them, it should not be able to use the hostname field. You can use the source field in enrichment, but keep in mind that there can be 2 different source fields in the alarm message--one within the message contents (subfield of udata field) and one in the message header/envelope. The source field within in the message is optional, but I am fairly certain it should be there for alarms from the net_connect probe.

This may make a lot more sense if you can take a look at some of the alarm messages with DrNimBUS. :-)