Skip to main content

Use case walkthrough: Event data normalization ►

This video steps through a use case for setting up custom event processing and normalizing events in APEX AIOps Incident Management.

*Please note Moogsoft is now part of Dell's IT Operations solution called APEX AIOps, and changed its name to APEX AIOps Incident Management. The UI may differ slightly but the content covered is still relevant.

After watching this video, you will be able to create a workflow to process events. Specifically, you can explain the use of workflows in Incident Management and set up an event workflow to normalize event data.

1_EventDataNormalization_00_00_16_14_Still001.jpg

Workflow Engine lets you create and add additional processing to your Incident Management workflow.

2_EventDataNormalization_00_00_25_11_Still002.jpg

Let’s use an example and actually build a workflow.  

Suppose you are a SAAS company and you are planning to cluster alerts by location and customer. However, your source event data looks like this. The host part of the FQDN has your customer names, and the domain is the location. 

So, with the first action in this workflow, we will split the source field value and map it to the customer and location fields.

3_EventDataNormalization_00_00_45_02_Still003.jpg

Also, some of your events are from QA servers, and we don’t want our users to pay attention to them.  So as the second action in this workflow, we are going to add an environment label so we can exclude those events from the clustering process.

4_EventDataNormalization_00_01_04_01_Still004.jpg

Finally, We have two support levels - silver and gold.  In order to prioritize the gold level support customers, we want to tag the events from them as such.

5_EventDataNormalization_00_01_13_15_Still005.jpg

Let’s build a workflow to take care of all three tasks. Let’s make sure everyone knows what this workflow is about…

6_EventDataNormalization_00_01_27_25_Still006.jpg

The field we want to examine is the Source field.

7_EventDataNormalization_00_01_36_16_Still007.jpg

And the host information needs to go into a customer tag. The domain information needs to go into location. We’ll put it in the data center location field. We are all set with task number 1.

9_EventDataNormalization_00_01_47_11_Still009.jpg

Next, we’ll extract the suffix from the source name to label the test and production environments.

10_EventDataNormalization_00_01_58_27_Still010.jpg

Here is a regular expression to capture the suffix of the source name.

12_EventDataNormalization_00_02_08_10_Still012.jpg

We’ll  store it in an Environment tag. That task is done.

13_EventDataNormalization_00_02_12_21_Still013.jpg

Finally, we need to label the support level so users can quickly identify which alerts are impacting your gold level customers.

14_EventDataNormalization_00_02_26_01_Still014.jpg

We’ll add a Support tag and set the default support level to silver.

16_EventDataNormalization_00_02_35_08_Still016.jpg

We’ll match these customer names. Then, we’ll update their support level to gold.

17_EventDataNormalization_00_02_42_23_Still017.jpg
18_EventDataNormalization_00_03_06_02_Still019.jpg

Now we use the support level information down the stream.  We can add the support level to the incident description, or send the gold support cases to the premium support team. We are done setting up all three actions.

Now let’s test this.

We can test the workflow right from this UI.  We’ll simulate the input here. Let’s say the source fields says this.  If our workflow is set up correctly, this input should be parsed and mapped to three different fields for us - customer, location, and environment.

Here are the test results. Looks like the source value got properly parsed and mapped to the customer and the location fields.

19_EventDataNormalization_00_03_38_25_Still020.jpg

We’ve also extracted the environment substring.

20_EventDataNormalization_00_03_43_28_Still021.jpg

Here’s the support level label.

21_EventDataNormalization_00_03_48_08_Still022.jpg

And we’ve updated the support level for gold customers.

22_EventDataNormalization_00_03_53_27_Still023.jpg

Everything looks good, so let’s activate it.

Here are the alerts  from our monitoring source. The incoming data is customized the way we want it, and its ready for produce meaningful incidents.

23_EventDataNormalization_00_04_15_16_Still024.jpg

Now you know how to use event workflows in Incident Management to normalize event data. Thanks for watching!