What Is a Custom_info Field?
What Is a Custom Info Object?
In Moogsoft Onprem, there isn't always a corresponding field for everything you want to keep from the source system. Custom Info is a field that allows you to extend the Moogsoft Onprem alert schema. You can store additional information that has not been mapped to any standard Alert field attributes. Store data in the custom_info
field as a JSON-formatted tree. You can update the custom_info
for an object without affecting any other object properties.
Note
The maximum allowed size of an event is 64KB. If an event exceeds the limit, it gets dropped. 64k was deemed to give sufficient headroom to not lose data should a large piece of data be unexpectedly sent. No Moogsoft Onprem deployment should be near sending that amount in a sustained fashion. Deployments should aim for less than 30k per event and ideally, taking into account all the guidance on this page, less than that.
Custom Info Field Best Practices
You need to be strategic and selective about adding custom_info. Keep the following points in mind as you create custom info fields.
Do NOT Add Unnecessary Information
Do NOT Overload the event Custom Info object with unnecessary information. When you are just beginning the ingestion stage, it is likely that you do not know all the fields you need. Do NOT create custom fields for everything at this stage. Consult your operators who will be addressing these alerts. Ask them what additional information they need in the alert payload in order to diagnose issues and only keep those values. Also when you get to the alert clustering process you will identify the custom information needs (if any) for clustering.
Mind the Event Size Limit
The maximum allowed size of an event is 64KB. If an event exceeds the limit, it does not get created in the system. Be mindful of the limit and truncate some of the field values as needed. For example, if you decide to add a list of values such as impacted applications, add a length limit to not risk exceeding the event size limit
Mind the Performance Impact
The size of the event directly impacts the amount of disk space required for the database server. Each time an event is deduplicated, or the alert is updated in the system, a complete copy of it I saved in the database. This includes the custom_info object. Suppose you have a 20KB alert, and it gets updated and actioned 100 times. The database footprint of it will be about 2MB. See Retention Policy under Sizing Recommendations.
Use the Same Base Model
It is best practice to enforce the same custom_info base model across all of your ingestions. Use the example model below. You can expand it as you see fit, but always add defaults.
var baseCustomInfo = { enrichment : {}, mooghandling : { isEnriched : false, archiveOnly : false, toolFlags : {}, }, services : [], location : {}, eventDetails : {}, ticketing : { ticketNumber : null, ticketStatus : null } }
Learn More
For information on Workflow Engine Functions you can use to modify custom_info, see Workflow Engine Functions Reference.