Ever get an alarm condition and wish you could related a bit more information to make better decisions on the outcome so that you could automate the outcome more accurately. I have done many of them that I use everyday and they provide very powerful key missing steps after an alarm is created and before a CASD ticket is created from the alarm results. I have created a step by step guide to building a CA SOI Alarm Enrichment. It was tested on 3.1 SP3 but it may work on newer releases. It is based on a hypothetical dilemma to provide you with the steps necessary to create an alarm enrichment.
Happy enriching...
I am still ruining SOI 3.1 so I don't think that is in there but that is great news and really exciting. I am building a new 3.3 environment right now and I'm gonna check that out.
I don't believe you can ever change the original message of an alarm.
You can:
Use and Event Policy with Enrich Event, and then select "map only" as Type.
Following is a quick way for enriching the Alert User Attribute 10 with the Service name:
- Create an Alert Queue for every Service that is related to a client
- Create an Escalation policy with Update Alert, and map the $[Queue Name] variable to the User Attribute 10.
If an Alert is in multiple queues, all the names will appear in the User Attribute as a comma separated list.
This solution should only be used in an environment with a low amount of Services to avoid a high amount of Alert Queues (which can cause Performance impacts).
To achieve the same without Alert Queues requires an Event Enrichment that executes a complex query in the DB, because the name of the impacted Service(s) is not an attribute of the Alert.
There is an AlertImpact table (crossreference is the AlertID) containing lines with references to every number of an impacted ServiceCIs, which you then have to look up again to figure out the name.
I don't believe you can ever change the original message of an alarm. You can use enrichments, escalation policies and actions to make changes to the user attributes. Here are a few ideas for you.
1. If you create tickets using a help desk toll you can format your own message using what has been written into the user attributes. So I do this all of the time to make them more user understandable. I may have 5 user attributes and I will stich them together in the details of the help desk ticket.
2. You could create an action that generates a new alarm with the message detail containing the text you want then clear the alarm. this is ugly and could require a variety of steps to accomplish but you may get the desired outcome.
3. I will employ an intermediary (Spectrum, UIM, etc.) to massage the message before it gets to SOI to that I can do the prework because once its in SOI you get what you get.
Wow great example and document. How or what would you suggest for the following use case that I am facing. We have an integration with SOI our ticketing system. We are an MSP and we are creating services for each client. Any alert that gets created within that particular client service, we want to open a SD ticket. The issue is that each client in our ticketing system correlates to a specific #. So for example
Clinet1, 21
Client2, 5361
Client3, 4699
etc..
For the Action that opens the ticket, I have to pass it certain required parameters. One of them being the specific ClientID#. If we want the ticket opened on that clients board we have to specify their specific #.
The tedious way would be for me to creating a policy and specific action for each and every client service.
Using the Enrichment Policy, can I use this feature to populate all alerts that part are originating from w/in this service, with the ClientID# into column UserAttribute10 = ### {Client #}. How would I go about doing this?
Is there any way for an alert to extract the Service that it's part of and pass that info to a the alerts UA10 column after it's done a lookup on the Service Name and compares it against a list of the Clients and their unique Client#?
Client1_Service
Box1_CI
Question: Box1_Generates and alert. Can Actions that are applied at the service level, in SOI v3.3, write into the alert attributes {UA10} with the CI UserAttribute # value? Meaning when I create Client1_Service, if I populate its CIUserAttribue1 Property with the ClientID#, can that then be written to the alert?
Or how would you suggest going about doing this?
Hi Cooney
I am also trying to enrich event using event policy but getting following error: Error parsing returned paired list. it has only one entries.
can you help me what i am returning is using vbs : wscript.echo "retval, Live"
and using $retval to poluplate userattribute1 .
can you hlep me on this
Nice document Dan.
We've built out similar enrichment to pass "troubleshooting" information to specific alerts and store it in one of the User Attribute fields. The NOC and/or support teams can then use the info when investigating. It also involves a batch file, a perl file, and a CSV for alert lookups.... as well as SOI event policies to call the scripts. If anyone's interested in this feel free to reach out and I'll provide some documentation.