Event Management
A guide to the creation and management of event definitions.
Overview
Event Definitions are used to define constraints on Attributes and provide Notifications or execute remote commands when these constraints are exceeded. For example, you are monitoring average processor load on a specific Configuration Item and want to know when this average for the past five minutes exceeds 70%.
- Create an Event Definition
- Edit an Event Definition:
- Clone an Event Definition:
- Enable or disable an Event Definition:
- Delete an Event Definition:
- Advance Event Definition
- Functions
- Logical and Mathematical Operators
- Advanced Scenarios
Event Definition – Documentation – Documentation – FireScope Community
Create an Event Definition:
- Log in to FireScope SPM.
- Click Configuration > Evaluation > Event Definitions. The Event Definitions page will be displayed.
- In Navigate or Search for a description, select the CI you want to create the Event Definition for.
- Click Create. The Create Event Definition page will be displayed.
- Complete the form. Refer to the Section Description Table below for more information on the fields.
- Click on the Save button.
Clone an Event Definition:
- In the Name column, click the Event Definition you want to clone. The Event Definition page will be displayed.
- Click Clone (bottom of the page). The Create Event Definition page will be displayed, duplicating the field values of the original Event Definition.
- Edit the form. Refer to Creating an Event Definition for more information on Event Definition screen shots and fields.
- Click on Save button.
Edit an Event Definition:
- In the Name column, click the Event Definition you want to edit. The Event Definition page will be displayed.
- Edit the form. Refer to Creating an Event Definition for more information on Event Definition screen shots and fields.
- Click on Save button.
Enable or disable an Event Definition:
- Check the box next to the Event Definition you want to enable or disable. Refer to Creating an Event Definition for more information on Event Definition screen shots and fields.
- Click Enable selected or Disable selected (bottom right corner). A confirmation window will be displayed.
- Click on OK button..
Delete an Event Definition:
- Check the box next to the Event Definition you want to delete. Refer to Creating an Event Definition for more information on Event Definition screen shots and fields.
- Click Delete selected (bottom right corner). A confirmation window will be displayed.
Note: If you delete an Event Definition that is used in a Google Maps map point or map link, the status of the map point/link will change to Unknown, and an email will be sent to all members of the FireScope Administrators user group.
Section Description Table
| Section | Description |
| Name | Event Definition name that other users can easily recognize. |
| Definition Criteria Simple Mode |
Criteria that will trigger this Event. When FireScope SPM evaluates the criteria and the result is: True – The Event Definition status will be FAILED. False – The Event Definition status will be OK. To set the criteria in Simple Mode:Select the Simple option. Click Insert. A new set of fields will be displayed. Click Select. The Attribute window will be displayed. Click on the Attribute from the Description column, you want to use. The selected Attribute name will be displayed in the Attribute field.In Function drop down list, select the type of evaluation you want to perform.In N (Numeric Compare), select the operator and type the value to compare to the Attribute value.Click Save. The criteria statement will be displayed in the Definition Criteria field. |
| Definition Criteria Advance Mode |
Criteria that will trigger this Event. When FireScope SPM evaluates the criteria and the result is: True – The Event Definition status will be FAILED. False – The Event Definition status will be OK.To set the criteria in Advance Mode: Select the Advance option: Note: This Mode is recommended only for expert users. Click on Add Definition button. New set of fields will be displayed. Click on Select Attributes. Attributes window will be displayed. Click on the Attribute from the Description column, you want to use. The selected Attribute name will be displayed in the Attribute field. Using the {EVENT.STATUS_VALUE} macro – requires another criteria to be used in conjunction with this evaluation. Use advance mode editing to create criteria such as ‘ ({EVENT.STATUS_VALUE} > 0) & (CI:Attribute:Current_Value > 150) In Function drop down list, select the type of evaluation you want to perform. Refer to the Functions Table for more information. In N (Numeric Compare), click on the check box, additional fields will be displayed. Select the Operator from the drop down list and type the value to compare to the Attribute value.Click on the Save button. The criteria statement will be displayed in the Definition Criteria field.In the Advanced Definition Builder section, use the variables and operators (to the right) to create a formula to describe the situation in which an Event is generated. For more information, seeLogical and Mathematical Operators. Notes: Each criterion is assigned a unique variable name, starting with @A. To remove a criteria, check the box next to one or more criteria and click delete selected.As you build this Event Definition, each condition will be assigned a temporary variable in alphabetic order as they are created. However, upon saving this Event Definition, their variables will be re-assigned in the order in which they are used in the Advanced Definition Builder. |
| Classification | How IT operations are impacted when this Event Definition is true: Availability – Asset is either offline, or users cannot perform tasks. Performance – Users will experience slow or degraded service. Security – Sensitive data may be compromised or unauthorized actions are identified. Business – Key business processes are directly impacted or revenue is lost(recommended when evaluating business metrics, such as revenue generation or e-commerce transactions). |
| Severity | Severity of the Aggregate Event Definition, which is used in Dashboards, Reports, and Notifications. You can use Severity as a criterion in Notifications. |
| Reset Interval | Number of seconds after which the Event Definition value is reset. Every five minutes, FireScope SPM determines if any reset intervals have been passed for a failed Event Definition, Aggregate Event Definition, or Policy. If so, the value(s) is reset to OK. Leave the Reset Interval field blank if you do not want the value reset. |
| Status | Indicates if the Event Definition is enabled or disabled. |
| Comments and Custom Fields | Additional information associated with Events generated by this Event Definition. Comments – Comments associated with the Event. Custom Fields – Store and assign additional information that is associated with the Event. Custom fields are accessible for notifications as macros (e.g., {EVENT.CUSTOM_1}, {EVENT.CUSTOM_2}). URL – URL to access when the Event occurs. (e.g., the URL of a useful KB article or process document that users should follow for this Event). |
| Event Definition Dependency | Dependencies for this Event Definition. If you intend for this Event Definition to not trigger when other specific Events have occurred, add the other Event Definition(s) here. For example, you do not want to flag your servers as being down if the network is unavailable. For more information, see Dependencies for Event Definitions, Aggregate Event Definitions, and Policies. Click on Manage Dependencies, Create Dependencies page will be displayed Click Select. The Event Definition window will be displayed. Click on the Event Definition from the Name column, that you want to use. The Event Definition name appears in the New dependency field. Click Add. The Event Definition name appears in the Event Definition Depends on field. |
For more information about sending Notifications and performing remediation steps when an Event occurs, see Notifications.
Functions
| Function | Description |
| Evaluate the current sampled value | N = Threshold value |
| Evaluate the absolute change between the current and previous values | N = How much change has occurred |
| Evaluate the average of all values in the last {T} seconds or samples | T = Number of seconds or returned values to average N = Threshold |
| Evaluate the difference between the MAX and MIN values for the last {T} seconds or samples | T = Number of seconds or returned values. N = Threshold |
| Evaluate the difference between current and previous values | N = Threshold of difference |
| Evaluate the number of times a desired value {V} is returned in the last {T} seconds or samples | T = Number of seconds or returned values V = Specific value N = Number threshold |
| Evaluate if the last 2 values were different, set N equals true | N = True/False |
| Evaluate the number of times the JSON attribute values matches based on filters ({F}) in the last {T} seconds | F = Filters T = Number of seconds N = Number threshold |
| Evaluate the percent of times the JSON attribute values matches based on filters ({F}) in the last {T} seconds | F = Filters T = Number of seconds N = Percentage threshold |
| Evaluate the largest value received in the last {T} seconds or samples | Last T = Number of seconds or returned values N = Maximum value |
| Evaluate the smallest value received in the last {T} seconds or samples | Last T = Number of seconds or returned values N = Smallest value |
| Evaluate the percentage of times a desired value {V} is returned in the last {T} seconds or samples | Last T = Number of seconds or returned values V = Value to look for N = Percentage threshold |
| Previous value | N = Last value |
| Find string {T} last value. X, where X is 1 – if found, 0 – otherwise | T = String to find X = 1 if found, 0 if not found |
| Sum of values in the last {T} seconds or samples | Last T = Number of seconds or returned values N = Threshold |
| Find case insensitive regular expression {T} last value. X, where X is 1 – if found, 0 – otherwise | T = Regex (case insensitive) to find X = 1 if found, 0 if not found |
| Find case sensitive regular expression {T} last value. X, where X is 1 – if found, 0 – otherwise | T = Regex (case insensitive) to find X = 1 if found, 0 if not found |
| Evaluate the number of changes for period of time {T} | T = Time N = Number of changes |
| Evaluate the windows eventlog {T} for the criteria. X, where X is 1 – if found, 0 – otherwise | T = Windows eventlog to find X = 1 if found, 0 if not found |
| Evaluate if attribute value was updated in the last {T} seconds, X. 0 = Value Updated, 1 = Value not Updated | Last T = Number of seconds X = 1 if not updated, 0 if updated |
Logical and Mathematical Operators
| Operator | Description | Example | Result |
| + | Adds the value of 2 conditions.Cannot be used if the conditions of the Event Definition use Conditionals. Returns a numeric value. | 2 + 2 | 4 |
| – | Subtracts the value of 2 conditions. Cannot be used if Use Conditionals is selected for any component condition. | 4 – 2 | 2 |
| * | Multiplies the value of 2 conditions. Cannot be used if Use Conditions is selected for any component condition. | 4 * 2 | 8 |
| / | Divides the value of 2 conditions. Cannot be used if Use Conditions is selected for any component condition. | 4 / 2 | 2 |
| < | Evaluates if the variable on the left is less than the variable on the right. | 1 < 3 | TRUE |
| > | Evaluates if the variable on the left is greater than the variable on the right. | 1 > 3 | FALSE |
| = | Evaluates if the operation or variable on the left equals the value on the right. | 1 + 4 = 10 or True = False |
False False |
| # | Evaluates if the operation or variable on the left does not equal the variable or operation on the right. | 3 # 2 or True # False |
True False |
| ( ) | Enables nested operations that will be performed before un-nested operations. Must be paired with a close parenthesis. | 2 * (3 + 4) | 14 |
| | | Logical OR operator. Can be used if Use Conditions is selected for component conditions. | (@a = 2) | (@b = 2) where @b evaluates to 2 and @a evaluates to 42. | TRUE |
| & | Logical AND operator. Can be used if Use Conditions is selected for component conditions. | (@a = 2) & (@b = 2)using the same values as in above example. | FALSE |
Advanced Scenarios
Scenario 1
I have a SQL server with multiple MDF files, and I want to be alerted if the total drive space consumed by all databases surpasses 80% of the total space on the volume. In this situation, I would use the following formula.
((@A / (@B + @C + @D) * 100) > 80)
Where
- @A = Total size of the volume
- @B, @C and @D are the sizes of three MDF files
Scenario 2
In this scenario, I want to be alerted if processor utilization is consistently above 95% for over 5 minute period. However, I don’t want the Event to clear unless utilization drops below 60%, indicating that the problem has been effectively resolved. In this case, I’m going to use the {Event.Status_Value}. For this situation, the following formula would be used.
((@A & @B) | (@C))
Where
- @A = {Event.Status_Value} = 1
- @B = Processor utilization > 60%
- @C = Processor Utilization > 95%