LogoLogo
Ops IntelligenceAsset IntelligenceObservabilityRobotic Data
  • Introduction
  • How it Works
  • Getting Started
  • Glossary
  • Implementer Guide
    • cfxDimensions Installation
      • Hardware and Software
      • cfxDimenions on VMware vSphere
        • Post cfxDimensions VM Installation
      • SSL Certificates Installation
      • cfxDimensions Setup & Install
        • Known Issues
      • cfxDimensions High Availability
        • GlusterFS Operations
        • Minio Operations
        • MariaDB Operations
      • cfxDimensions Start, Stop order
      • Macaw CLI
        • macaw CLI Installation
          • macaw CLI v2.1.17
        • macaw setup
        • macaw infra
        • macaw platform
        • macaw user
        • macaw application
        • macaw status
        • macaw services
        • macaw clambda
        • macaw techsupport
        • macaw backup
        • macaw restore
        • macaw reset
      • Release Notes
        • cfxDimensions v2.0.3
        • cfxDimensions v2.1.17
        • cfxDimensions v2.2.20
    • cfxDimensions Backup & Restore
    • cfxOIA Installation
    • cfxOIA Application Services
    • cfxOIA Release Notes
      • cfxOIA v5.1.5
      • cfxOIA v5.1.5.2
      • cfxOIA v5.1.5.3
      • cfxOIA v6.0.0
      • cfxOIA v6.1.0
  • KEY FEATURES GUIDE
    • Incident Management
      • Incidents Overview
      • Create Incident
      • Incident States
      • Accessing Incident
        • Stack
        • Alerts
        • Metrics & Logs
        • Insights
        • Collaboration
        • Diagnostics
        • Remediation
        • Attachments
        • Activities
      • Incident Actions
    • Alert Management
      • Alerts Overview
      • Alert Analytics
      • Alert States
      • Alert Sources
    • Advanced Alert Configuration
      • Alert Mappings
      • Alert Enrichment
      • Alert Correlation & Suppression
        • Creating and Updating Correlation Policies
        • Creating and Updating Suppression Policies
        • Correlation Recommendations
    • ML Driven Operations
    • Data Exploration
    • RDA (Robotic Data Automation)
      • Accessing UI
      • Sources Addition and Configuration
      • Check Connectivity
      • Proxy Settings
      • Explore
        • Bots
        • Pipelines
        • Schedules
        • Jobs
    • Analytics
  • UI & PORTAL FEATURES GUIDE
    • Filters Management
    • Customizing Table Views
    • Exporting Data
  • Administrator Guide
    • User Roles & RBAC
    • Collaboration
    • Projects
      • How to add Project
      • Configure Project
        • Stacks
        • Incidents
        • Alerts
        • Messages
          • Message Endpoints
            • Rest Data Consumer
            • Kafka Message Consumer
            • ServiceNow SaaS
            • Webhook with Basic Authentication
          • Message Mappings
        • Teams
        • Datasources
        • Resolution Codes
  • INTEGRATIONS GUIDE
    • Integrations Overview
    • Featured Integrations
      • AppDynamics
      • Dynatrace
      • Microsoft Teams
      • NetApp Cluster Mode
      • NetApp 7 Mode
      • Prometheus
      • ServiceNow
      • Slack
      • Splunk Enterprise
      • VMware vCenter
      • Zabbix
      • NodePing
      • Nagios XI
      • Check MK
      • VMware vRealize Operations
      • PRTG Network Monitor
      • Grafana
      • AWS Cloudwatch
      • ManageEngine OpManager
      • PagerDuty
Powered by GitBook
On this page
  • Overview
  • Alert attributes enrichment pipelines
  • Viewing Alert's enriched attributes
  1. KEY FEATURES GUIDE
  2. Advanced Alert Configuration

Alert Enrichment

How it Works, Viewing Enriched Attributes

PreviousAlert MappingsNextAlert Correlation & Suppression

Last updated 3 years ago

Overview

Raw alert data contains very limited information, often consisting of id, severity, message/description, rule name and asset IP/host name. This information doesn't provide enough service context (application or service name, environment, machine-type etc.) or support ability context (NOC id, site-id, department, support-group etc.) which are essential data for efficient correlation of alerts. OIA performs automated alert data enrichment using a combination of following approaches

  • ACE (Automated Context Extraction): Using this method, it extracts useful information like IP Address, DNS name and certain identifyable attributes from the source alert's payload. This doesn't require any external integrations, however, in majority of the scenarios, this may not be sufficient for alert correlation.

  • External source lookup: This process looks up information related to the incoming alerts in an external data source (ex: CMDB or Inventory system, CSV etc...) and then adds them as enriched alert attributes. Enriched attributed presents more contextual information to the IT Operations user and also will be used to correlate the alerts.

Below flow illustrates different stages of Alert processing from ingestion, alert attributes mappings, alert enrichment, correlation/suppression and persisting into the system's database.

Alert attributes enrichment pipelines

Alert enrichment pipeline has two configuration blocks.

  1. Querying external datasource (like CMDB, Nagios, vROps etc) and save enriched attributes into a dataset (CSV style table)

  2. Define condition(s) or filter(s) rule to lookup, by taking one or more alert’s payload attributes (Ex: assetname / assetipaddress etc) and query additional attributes for a matched record from the saved dataset of an external datasource

Below are few key alert attributes which can be used for alert enrichment attributes from the saved dataset that was created from external datasource integration.

  • assetName

  • assetIpAddress

  • componentName

Below screen shows a sample enrichment pipeline extracting additional attributes from 'Nagios' monitoring tool and configuring the system to use it as part of alert enrichment process.

Enrichment conditions / filters examples:

In the below example, the saved dataset is from VMware vROps, i.e vrops-resource-properties

As a condition rule, multiple attributes are used for a lookup from the above saved dataset for enriched attributes.

Condition-1: identifier == '$assetId' ('identifier' is a column within the saved dataset from vROps, $assetId is the alert attribute which was mapped from the source alert using alert mapping process). Check if 'assetId' attribute from Alert payload matches 'identifier' within the saved dataset.

Condition-2: vmw_name == '$assetName' ('vmw_name' is a column within the saved dataset from vROps, $assetName is the alert attribute which was mapped from the source alert using alert mapping process). Check if 'assetName' attribute from Alert payload matches 'vmw_name' within the saved dataset.

Condition-3: vmw_guest_ipaddress == '$assetIpAddress' ('vmw_guest_ipaddress' is a column within the saved dataset from vROps, $assetIpAddress is the alert attribute which was mapped from the source alert using alert mapping process). Check if 'assetIpAddress' attribute from Alert payload matches 'vmw_guest_ipaddress' within the saved dataset.

enrichcolumns: vmw_name, vmw_parent_vcenter, vmw_powerstate, vmw_accessible_status

When none of the enrich columns are specified, it will fetch all columns that has non-null or empty values as enriched attributes

Condition operator for all of the above condition: OR (which means, extract enriched attributes if any of them find a matching record within the saved dataset from vROps

- query: datasetname = 'vrops-resource-properties' & condition = "(identifier == '$assetId' or vmw_name == '$assetName' or vmw_guest_ipaddress == '$assetIpAddress')" & enrichcolumns = 'vmw_name,vmw_parent_vcenter,vmw_powerstate,vmw_accessible_status'

Below are some of the supported operators which can be used while querying the saved dataset of an external source using conditions.

  • == (equals)

  • != (not equals)

  • or

  • and

Viewing Alert's enriched attributes

Alert enrichment provides additional context to alerts for effective correlation. The user can view enriched attributes by selecting 'View Enriched Attributes' on context menu of the alert as shown.

The alert's payload attributes should be CFX alert attributes which are mapped using alert mapping configuration. For more information, please refer ''

Any attribute which is speficied with $ represents alert payload's mapped attribute. For more information, please refer ''

Alert Mappings
Alert Mappings