Default Event Table
When Unified Assurance receives or retrieves data that will be used to create or update an Event, most applications allow the data to be manipulated via the rules so the information displayed is more useful.
Processing the event data is done in three basic steps.
-
Data is received or retrieved from a device.
-
Data is sent to the rules file for processing, if available. It is during this step that the Event Hash can be manipulated so the modified information is be saved to the database.
-
Data is saved to the database.
Event.Events
In Unified Assurance v6 the Events.Alarm DB Schema has been renamed to Event.Events. Some Fields have been renamed, other new fields have been added while others remain the same. The following table shows you a list of the fields along with a brief description.
| Field Name | Field Type | Description |
|---|---|---|
| EventID | Number | Do not set this, and do not change this. The ID is handled by the database. The ID can be used to refer to the Event; there will be 0 or 1 matches in the live table; and 0 or more matches in the history table. This field was AlarmId in Unified Assurance v4. |
| EventKey | Alphanumeric | The EventKey is normally set during the rules processing. If the same as another event, the new event will be considered a duplicate -- either a repeat message, or (if correlation is done by deduplication) updated status of message (link up / link down). If the key is different from every other key, the event will not be considered a duplicate with another. This field will only be unique in the "live" table; the old EventID can be deleted, and the next "matching" EventKey will create a new Event, unrelated to the previous one. This field was AlarmKey in Unified Assurance v4. |
| EventCategory | Number | 1 = Resolution. 2 = Problem. 3 = Discrete. This functionality was part of the AlarmType field in Unified Assurance v4. Primarily used by the mechanization CorrelateProblemResolutions, which looks for events with EventCategory = 1 and Severity = 0, and any matching events with EventCategory = 2 and Severity > 0. The matched events are then updated the fields EventCategory = 3, Severity = 0, ExpireTime = 300, as well as a few other fields. Other values are not used by this mechanization for correlation. Additionally, a conversion has been setup to map the default values for display purposes. |
| EventType | Alphanumeric | A string to indicate the type of event, e.g. linkUpDown for a linkDown trap. This field was AlarmGroup in Unified Assurance v4. The mechanization CorrelateProblemResolutions will only function if this is the same for correlating events. |
| Ack | Number | 1 = Yes, 0 = No. The event will be displayed differently based on this field. Event right-click Tools can be used to set the state manually. |
| Action | Alphanumeric | An indication of the non-human entity that caused a change to be made. The mechanizations DeleteExpired and CorrelateProblemResolutions will both set DeleteExpired if a matching event is found. Event right-click SQL Tools can set this by doing, SET Action = 'SQL Tool: Acknowledge'. |
| Actor | Alphanumeric | An indication of the entity that caused the change to be made. Mechanizations will set this field to EventMechanization. Event right-click SQL Tools set this to the logged-in user that used the tool. |
| Count | Number | The number of times this Event has happened (deduplicated). Should only be increased by the SQL ON DUPLICATE, and should not be set in rules. |
| Customer | Alphanumeric | This can be set to a value as needed. |
| Department | Alphanumeric | Customer.rules will set this to Unknown if not previously set. |
| Details | Text | A JSON text field for miscellaneous info, replacing the Custom1-5 fields. Rules can set values like "$Event->{Details}->{subject} = 'X'. |
| DeviceType | Alphanumeric | Used as a general category for the event. Customer.rules will set this to Unknown if not previously set. |
| Duration | Number | The time between FirstReported and LastChanged. Updated by EventMechanizations. |
| EscalationFlag | Number | If an event should be escalated or not. 0 = no, 1 = should be escalated, 2 = has been escalated. Some of the default rules for applications look for this value being set to 1 for additional processing. This field was EscFlag in Unified Assurance v4. |
| ExpireTime | Number | This functionality was part of the AlarmType field in Unified Assurance v4. Number of seconds after LastChanged for this Event to become eligible-to-be-deleted, which is done by the mechanization DeleteExpired. |
| FirstReported | Number | Epochtime with milliseconds of when this Event first happened. The application processing the event will generally set it to the time the event was received/retrieved, but rules could change it, if needed. The default "INSERT/ON DUPLICATE UPDATE" code will not update if a duplicate event is received. |
| IPAddress | Alphanumeric | The IPv4 or IPv6 address of the Device associated with this Event. For Device/Metric integrations, it is useful if an entry exists in the Device Catalog (similar to Node). Customer.rules will set this to 0.0.0.0 if not previously set. |
| LastChanged | Number | Epochtime with milliseconds; must be changed manually by everything that modifies the Event, for example, Event List Tools, CAPE, or other applications. The application processing the event will generally set it to the time the event was received/retrieved. The default "INSERT/ON DUPLICATE UPDATE" code will update if a duplicate event is received. Rules should not update the value. |
| LastReported | Number | Epochtime with milliseconds of the last time this Event happened. The application processing the event will generally set it to the time the event was received/retrieved, but rules could change it, if needed. The default "INSERT/ON DUPLICATE UPDATE" code will update if a duplicate event is received. |
| Location | Alphanumeric | Name, Address, or something similar associated with the Event. Event Analytics will use this if it is set. |
| Method | Alphanumeric | Protocol of how the event was received/retrieved. The binary will set a default value (Trapd, Syslogd, for example), but can be update in rules, if needed. |
| Node | Alphanumeric | Usually the DNS Name of the Device associated with this Event, and set via an IP lookup in the application that received the event. For Device/Metric integrations, it is useful if an entry exists in the Device Catalog (similar to IPAddress). Rules can update this field, if needed. |
| OrigSeverity | Number | The original severity when the event was first created. The event binaries will set this to the same as Severity on INSERT, but will not be changed on UPDATE. |
| OwnerName | Alphanumeric | The name of the currently-responsible person. Some event Tools (for example, "Acknowledge", "Delete", and "Take Ownership") set this to the username that executed the tool; "UnAcknowledge" sets it to 0. This field was OwnerId in Unified Assurance v4. |
| RootCauseFlag | Number | Used by applications to know whether the event is being processed as a root cause of another event or not. |
| RootCauseID | Number | Used by applications to know whether the event was caused by another event or not. |
| Score | Number | If a Priority value is set on a device, this field can be set to the event Severity * Priority to increase the number. Event Filters can be configured to show the hi-score Events first, or other processing may utilize this value. |
| Service | Alphanumeric | The SLM applications will set this to the name of the SLM Service if a violation is detected. |
| ServiceImpact | Number | |
| Severity | Number | Must be a value between 0 - 5. The event will change colors in the Event List based on the severity. |
| SubDeviceType | Alphanumeric | Used for vendor or model information for the event. Customer.rules will set this to Unknown if not previously set. |
| SubMethod | Alphanumeric | Usually set in rules to the specific processing that was done on the event, for example, the MIB that defines the trap, or the string "watchdog", or "Unknown". |
| SubNode | Alphanumeric | The Instance of the Event, for example, the ifIndex value of a linkUp trap. Mechanization CorrelateProblemResolutions requires that this is the same for correlating events. This field was SubAlarmGroup in Unified Assurance v4. |
| Summary | Text | The free-form text that is usually shown in the Event List. It should be a standalone description of the event. The "Default" display will also show the user the Node, EventType, Count, FirstReported and LastReported fields, so those details do not need to be repeated here. |
| TicketFlag | Number | A flag for the ticket state of this event. 0 = no ticket; 1 = ticket to be created; 2 = processing, 3 = opened. |
| TicketID | Alphanumeric | The Ticket ID associated with this Event in the external system. Should be populated by the process done to open the ticket in the external system. |
| ZoneID | Number | Can be set to the Device Zone that the device is in. |
Table Changes
The following fields are new in Unified Assurance v6:
-
Action
-
Actor
-
Customer
-
Details
-
Duration
-
ExpireTime
-
LastChanged
-
OrigSeverity
-
RootCauseFlag
-
RootCauseID
-
Service
-
ServiceImpact
The following fields have been removed from the table when compared to Unified Assurance v4:
-
DstIP
-
DstPort
-
SrcIP
-
SrcPort
-
EscId
-
Custom1-5