Adding Custom Fields to Events DB
It is a common practice to add custom fields to the Events table, or to change the fields that are updated when a duplicate event is received. Using the Unified Assurance UI, new fields can be added, and existing fields can be cloned and then have their settings changed. Changes can also be made to the index type of some of the fields that are provided out-of-the-box.
Note:
The out-of-the-box fields can not be deleted. Only custom added fields can be deleted.
After changes are done, an application must be run that will actually apply the changes to the database, then some additional changes within the Unified Assurance system may be needed.
After fields have been added to the database, the event applications will use built-in functionality on startup or reload to read in all of the database fields and create a default insert statement. This can be changed if different functionality is required, or if custom deduplication settings are required.
Deduplication settings can be changed by creating two additional configuration files. Applications configured to use the new files will process the new settings instead of using the default settings. While these changes are relatively easy to make, they can cause issues if done incorrectly.
Note:
The following example is for reference only.
Dependencies
-
Have a working aggregator/collector.
-
List of additional fields names and field types/lengths.
Adding New Fields and making other changes
Best Practices
-
During initial deployment, ensure the application configuration has the LogLevel set to DEBUG. After the functionality has been verified, this can be changed to reduce log data.
-
Verify everything is working by checking that the events are inserting correctly and no errors are seen in the application logs.
-
If a custom field is added to store a date time type of value (similar to the default FirstReported and LastReported fields), the data type should be DECIMAL(13,3) UNSIGNED instead of one of the MySQL date types. This should be used to store an epoch time instead of a hard-coded date/time value. This will then provide a consistent view of dates and times throughout the event list and other views.
-
Once a new field has been added, the field name cannot be modified. A specific process must be followed to handle "renaming" a field.
-
Follow the Stop the Event applications and MySQL Replication Data Importer section below.
-
Follow the Use the UI to prepare changes to the table section below to create the new field.
-
Follow the Apply the changes to the database section below to apply the changes to the table.
-
Use the
ApplyEventSchema
application to move the data, passing in the old field name and new field name$A1BASEDIR/bin/ApplyEventSchema move-data <OldFieldName> <NewFieldName>
-
Follow the Use the UI to prepare changes to the table section below to delete the old field.
-
Follow the Apply the changes to the database section below to apply the changes to the table.
-
Follow the remaining steps in the sections below.
-
Steps
Stop the Event applications and MySQL Replication Data Importer
-
Go to the Services UI:
-
Find and select any of the following services that are running, then click on the "Stop" button.
-
Any event-based applications, such as the Event Syslog Aggregator, etc.
-
Any thresholding-based applications, such as the Metric Standard Thresholding Engine, etc.
-
Stop the MySQL Replication Data Importer service(s).
-
-
Go to the microservices Installed UI:
-
Stop any event-based microservices, such as the Event Sink, etc.
Use the UI to prepare changes to the table
-
Open the "Custom Event Fields" UI:
-
Use the UI to add a new field, make changes to an existing field, or delete a custom field.
-
Make additional changes as needed.
Apply the changes to the database
-
Log in to the command line of the database server.
-
Change to the root user.
-
The ApplyEventSchema application is located in the $A1BASEDIR/bin/ directory. Go to the directory:
cd $A1BASEDIR/bin/
-
Run the ApplyEventSchema to apply the changes.
./ApplyEventSchema
Note:
-
If using multiple event shards in your environment, one of the following must be done.
-
Run the application on one of the database servers passing the
--EventShard 0
flag:$A1BASEDIR/bin/ApplyEventSchema --EventShard 0
-
Run the application on the primary instance of the database servers passing the
--EventShard
flag with the correct value:$A1BASEDIR/bin/ApplyEventSchema --EventShard N
-
-
The
--Dry-Run
option can be used to log the queries that will be executed to change the database:$A1BASEDIR/bin/ApplyEventSchema --Dry-Run
Then look at the log file to see the queries that will be executed:
lnav $A1BASEDIR/logs/ApplyEventSchema.log
-
Start the MySQL Replication Data Importer
-
Go to the Services UI:
-
Find and select the MySQL Replication Data Importer service(s).
-
Click on the "Start" button.
Update Rules Files (Optional)
-
Go to the Rules UI:
-
Update the relevant rules files for applications to insert or update data in the real-time database.
Start the Event Services
-
Go to the Services UI:
-
Find and select any event-based service(s) that were previously running.
-
Click on the "Start" button.
Start the Event Microservices
-
Go to the microservices Helmcharts UI:
-
Select any event-based microservice(s) that were previously running.
-
Click on the "Deploy" button.
-
Fill in the needed settings, then click on the "Start" button.
Recreate the Kibana Index
Note:
This step must be done after data has been inserted into the newly added fields. Data can be inserted into the fields using rules, by manually updating an event through the UI, or other steps as well.
-
Go to the Elasticsearch Management UI:
Analytics -> Events -> Administration -> Management
-
In the Kibana section, click on the "Index Patterns" link.
-
With the eventanalytics-* option selected, click on the refresh icon in the upper right.
Functionality Verification
To verify the new field (or fields) are available for use, starting or reloading an application should show the new fields as being available for use during the Build Generic Insert and Build Generic FieldSet logging:
[DATE TIME] [BINARY NAME]([PROCESS ID])<-> [INFO] Build Generic Insert as:
INSERT INTO Events (EventKey,EventCategory,EventType,Ack,Action,Actor,Count,Customer,Department,Details,DeviceType,Duration,EscalationFlag,ExpireTime,FirstReported,GeoPath,GeoLocation,IPAddress,LastChanged,LastReported,Location,Method,Node,OrigSeverity,OwnerName,RootCauseFlag,RootCauseID,Score,Service,ServiceImpact,Severity,SubDeviceType,SubMethod,SubNode,Summary,TicketFlag,TicketID,ZoneID,RootCauseKey,NewField1)
VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,ST_GeomFromGeoJson(?,1,4326),ST_GeomFromGeoJson(?,1,4326),?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)
ON DUPLICATE KEY
UPDATE Count = Count + 1,
Duration = VALUES(LastReported) - FirstReported,
EventCategory = VALUES(EventCategory),
LastChanged = VALUES(LastChanged),
LastReported = VALUES(LastReported),
Severity = VALUES(Severity),
Summary = VALUES(Summary)
[DATE TIME] [BINARY NAME]([PROCESS ID])<-> [INFO] Build Generic FieldSet as:
EventKey,EventCategory,EventType,Ack,Action,Actor,Count,Customer,Department,Details,DeviceType,Duration,EscalationFlag,ExpireTime,FirstReported,GeoPath,GeoLocation,IPAddress,LastChanged,LastReported,Location,Method,Node,OrigSeverity,OwnerName,RootCauseFlag,RootCauseID,Score,Service,ServiceImpact,Severity,SubDeviceType,SubMethod,SubNode,Summary,TicketFlag,TicketID,ZoneID,RootCauseKey,NewField1
Custom Deduplication
Best Practices
-
During initial deployment, ensure the application configuration has the LogLevel set to DEBUG. After the functionality has been verified, this can be changed to reduce log data.
-
Verify everything is working by checking that the events are inserting and updating correctly and that no errors are seen in the application logs.
-
If errors are seen when the applications are trying to insert events, the most likely problem is one of the following:
-
The application was not restarted to make it read in the custom files with the additional advanced configuration options.
-
The .sql files have an error in them. Verify they match the new database field names exactly.
-
-
For ease of management, the configuration files needed for this process should be stored in the "common" folder of the rules repository. The files are then available to all servers without needing to manually manage individual files:
-
Go to the Rules UI:
-
Expand the following folder path: Core Rules (rules) -> Default read-write branch (default) -> collection -> event -> common.
-
New/updated files should be here so they are available for all applications.
-
Steps
Updating Custom Fields on Deduplication
To get Unified Assurance to perform a custom action when a duplicate event is received, two additional files need to be created/updated. Refer to the Best Practices section for where the files should be placed.
-
The InsertSQLFile (usually called InsertSQLFile.sql) contains a prepared statement that controls which fields are inserted when an event is initially received, or which fields are updated when a duplicate event is received. The generic statement is as follows, but with some modifications to it as shown in the "** **" sections. These should be updated before saving the file.
-
In the column list, the **NewField1** tag should be entirely replaced with the actual field name, and each additional field should be added to this list.
-
In the VALUES list, the **?** tag should be replaced with a single question mark ("?"). However, a separate question mark should be added for each additional field that is being added to the list.
-
In the ON DUPLICATE list, the **NewField1** tag should be replaced with the actual field name. Other MySQL functionality is also possible here.
INSERT INTO Events (EventKey,EventCategory,EventType,Ack,Action,Actor,Count,Customer,Department,Details,DeviceType,Duration,EscalationFlag,ExpireTime,FirstReported,GeoPath,GeoLocation,IPAddress,LastChanged,LastReported,Location,Method,Node,OrigSeverity,OwnerName,RootCauseFlag,RootCauseID,Score,Service,ServiceImpact,Severity,SubDeviceType,SubMethod,SubNode,Summary,TicketFlag,TicketID,ZoneID,RootCauseKey,**NewField1**) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,ST_GeomFromGeoJson(?,1,4326),ST_GeomFromGeoJson(?,1,4326),?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,**?**) ON DUPLICATE KEY UPDATE Count = Count + 1, Duration = VALUES(LastReported) - FirstReported, EventCategory = VALUES(EventCategory), LastChanged = VALUES(LastChanged), LastReported = VALUES(LastReported), Severity = VALUES(Severity), Summary = VALUES(Summary), **NewField1** = VALUES(**NewField1**)
-
-
The FieldSetFile (usually called FieldSetFile.sql) contains the information used by the application that determines what fields are used to replace the placeholders (the "?") in the InsertSQLFile prepared statement. Each placeholder must correspond with its respective field. The generic statement is as follows, but the **NewField1** should be entirely replaced with the actual field name, and each additional field should be added to this list. This should be updated before saving the file.
EventKey, EventCategory, EventType, Ack, Action, Actor, Count, Customer, Department, Details, DeviceType, Duration, EscalationFlag, ExpireTime, FirstReported, GeoPath, GeoLocation, IPAddress, LastChanged, LastReported, Location, Method, Node, OrigSeverity, OwnerName, RootCauseFlag, RootCauseID, Score, Service, ServiceImpact, Severity, SubDeviceType, SubMethod, SubNode, Summary, TicketFlag, TicketID, ZoneID, RootCauseKey, **NewField1**
Application Configuration Changes
The next step is to modify the application configuration settings in the UI to allow the applications to use the custom files:
-
Go to the Services or Jobs UI:
-
Find and select the application that will be using the new configuration files.
-
In the Configuration section, find and update the FieldSetFile and InsertSQLFile options. (If they are not in the list, add the options.)
-
The FieldSetFile should be set to collection/event/common/FieldSetFile.sql (or the correct path).
-
The InsertSQLFile should be set to collection/event/common/InsertSQLFile.sql (or the correct path).
-
-
Once these have been added, the applications must be restarted for the changes to take effect.
Functionality Verification
To verify the new fields are available for deduplication, starting or reloading an application should show the new fields during the Build Generic Insert and Build Generic FieldSet logging:
[DATE TIME] [BINARY NAME]([PROCESS ID])<-> [INFO] Build Generic Insert as:
INSERT INTO Events (EventKey,EventCategory,EventType,Ack,Action,Actor,Count,Customer,Department,Details,DeviceType,Duration,EscalationFlag,ExpireTime,FirstReported,GeoPath,GeoLocation,IPAddress,LastChanged,LastReported,Location,Method,Node,OrigSeverity,OwnerName,RootCauseFlag,RootCauseID,Score,Service,ServiceImpact,Severity,SubDeviceType,SubMethod,SubNode,Summary,TicketFlag,TicketID,ZoneID,RootCauseKey,NewField1)
VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,ST_GeomFromGeoJson(?,1,4326),ST_GeomFromGeoJson(?,1,4326),?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)
ON DUPLICATE KEY
UPDATE Count = Count + 1,
Duration = VALUES(LastReported) - FirstReported,
EventCategory = VALUES(EventCategory),
LastChanged = VALUES(LastChanged),
LastReported = VALUES(LastReported),
Severity = VALUES(Severity),
Summary = VALUES(Summary),
NewField1 = VALUES(NewField1)
[DATE TIME] [BINARY NAME]([PROCESS ID])<-> [INFO] Build Generic FieldSet as:
EventKey,EventCategory,EventType,Ack,Action,Actor,Count,Customer,Department,Details,DeviceType,Duration,EscalationFlag,ExpireTime,FirstReported,GeoPath,GeoLocation,IPAddress,LastChanged,LastReported,Location,Method,Node,OrigSeverity,OwnerName,RootCauseFlag,RootCauseID,Score,Service,ServiceImpact,Severity,SubDeviceType,SubMethod,SubNode,Summary,TicketFlag,TicketID,ZoneID,RootCauseKey,NewField1