Understanding the Default Events Fields
When Oracle Communications Unified Assurance receives or retrieves data that will be used to create or update an Event, most applications allow the data to be manipulated by the rules so that the information displayed is more useful.
Processing the event data is done in three basic steps.
-
Data is received or retrieved from a device.
-
Data is sent to the rules file for processing, if available. It is during this step that the Event Hash can be manipulated so that the modified information can be saved to the database.
-
Data is saved to the database.
Default Fields in the Event.Events Table
The following table shows you a list of the fields along with a brief description.
Note:
These field names may appear slightly different in event lists. For example, the default display uses the custom name Device for the Node field. You can see and edit custom names by using the Displays configuration interface.
| Field Name | Field Type | Description |
|---|---|---|
| EventID | Number | Do not set this, and do not change this. The ID is handled by the database. The ID can be used to refer to the Event; there will be 0 or 1 matches in the live table; and 0 or more matches in the history table. This field was AlarmId in Assure1 v4. |
| EventKey | Alphanumeric | The EventKey is normally set during the rules processing. If the EventKey of a new event is the same as that of another event, the new event will be considered a duplicate -- either a repeat message, or (if correlation is done by deduplication) updated status of message (link up / link down). If the key is different from every other key, the event will not be considered a duplicate. This field will only be unique in the live table; the old EventID can be deleted, and the next matching EventKey will create a new Event, unrelated to the previous one. This field was AlarmKey in Assure1 v4. |
| EventCategory | Number | 1 = Resolution. 2 = Problem. 3 = Discrete. This functionality was part of the AlarmType field in Assure1 v4. Primarily used by the mechanization CorrelateProblemResolutions, which looks for events with EventCategory = 1 and Severity = 0, and any matching events with EventCategory = 2 and Severity > 0. The matched events are then updated to EventCategory = 3, Severity = 0, ExpireTime = 300, as well as updates to a few other fields. Other values are not used by this mechanization for correlation. Additionally, a conversion has been setup to map the default values for display purposes. |
| EventType | Alphanumeric | A string to indicate the type of event. For example, linkUpDown for a linkDown trap. This field was AlarmGroup in Assure1 v4. The mechanization CorrelateProblemResolutions will only function if this is the same for correlating events. |
| Ack | Number | 1 = Yes, 0 = No. The event will be displayed differently based on this field. Event right-click Tools can be used to set the state manually. |
| Action | Alphanumeric | An indication of the non-human entity that caused a change to be made. The mechanizations DeleteExpired and CorrelateProblemResolutions will both set DeleteExpired if a matching event is found. Event right-click SQL Tools can set this by doing, SET Action = 'SQL Tool: Acknowledge'. |
| Actor | Alphanumeric | An indication of the entity that caused the change to be made. Mechanizations will set this field to EventMechanization. Event right-click SQL Tools set this to the logged-in user that used the tool. |
| Count | Number | The number of times this Event has happened (deduplicated). Should only be increased by the SQL ON DUPLICATE, and should not be set in rules. |
| Customer | Alphanumeric | This can be set to a value as needed. |
| Department | Alphanumeric | Customer.rules will set this to Unknown if not previously set. |
| Details | Text | A JSON text field for miscellaneous info, replacing the Custom1-5 fields. Rules can set values like "$Event->{Details}->{subject} = 'X'. |
| DeviceType | Alphanumeric | Used as a general category for the event. Customer.rules will set this to Unknown if not previously set. |
| Duration | Number | The time between FirstReported and LastChanged. Updated by Event Mechanizations. |
| EscalationFlag | Number | Whether an event should be escalated or not. 0 means no, 1 means it should be escalated, 2 means it has been escalated. Some of the default rules for applications look for this value being set to 1 for additional processing. This field was EscFlag in Assure1 v4. |
| ExpireTime | Number | This functionality was part of the AlarmType field in Assure1 v4. Number of seconds after LastChanged for this Event to become eligible-to-be-deleted, which is done by the mechanization DeleteExpired. |
| FirstReported | Number | Epoch time with milliseconds of when this Event first happened. The application processing the event will generally set it to the time the event was received/retrieved, but rules could change it, if needed. The default "INSERT/ON DUPLICATE UPDATE" code will not update if a duplicate event is received. In the UI, the default display for event lists calls this field First Occurred. |
| GeoLocation | GeoJSON | A GeoJSON schema containing the longitude and latitude of the device that generated the event, used in Geographical Dashboards in Elasticsearch. |
| GeoPath | GeoJSON | A GeoJSON schema containing an array of longitudes and latitudes of the device that generated the event, used in Geographical Dashboards in Elasticsearch. |
| IPAddress | Alphanumeric | The IPv4 or IPv6 address of the Device associated with this Event. For Device/Metric integrations, it is useful if an entry exists in the Device Catalog (similar to Node). Customer.rules will set this to 0.0.0.0 if not previously set. |
| LastChanged | Number | Epoch time with milliseconds; must be changed manually by everything that modifies the Event, like Event List Tools, CAPE, or other applications. The application processing the event will generally set it to the time the event was received/retrieved. The default "INSERT/ON DUPLICATE UPDATE" code will update if a duplicate event is received. Rules should not update the value. |
| LastReported | Number | Epoch time with milliseconds of the last time this Event happened. The application processing the event will generally set it to the time the event was received/retrieved, but rules could change it, if needed. The default "INSERT/ON DUPLICATE UPDATE" code will update if a duplicate event is received. In the UI, the default display for event lists calls this field Last Occurred. |
| Location | Alphanumeric | Name, address, or something similar associated with the Event. Event Analytics will use this if it is set. |
| Method | Alphanumeric | Protocol of how the event was received/retrieved. The binary will set a default value (Trapd, Syslogd, for example), but it can be updated in the rules, if needed. |
| Node | Alphanumeric | Usually the DNS Name of the Device associated with this Event, and set via an IP lookup in the application that received the event. For Device/Metric integrations, it is useful if an entry exists in the Device Catalog (similar to IPAddress). Rules can update this field, if needed. In the UI, the default display for event lists calls this field Device. |
| OrigSeverity | Number | The original severity when the event was first created. The event binaries will set this to the same as Severity on INSERT, but will not be changed on UPDATE. |
| OwnerName | Alphanumeric | The name of the currently responsible person. Some event Tools (for example, Acknowledge, Delete, and Take Ownership) set this to the username that ran the tool; UnAcknowledge sets it to 0. This field was OwnerId in Assure1 v4. |
| RootCauseFlag | Number | Used by applications to know whether the event is being processed as a root cause of another event or not. |
| RootCauseID | Number | Used by applications to know whether the event was caused by another event or not. |
| RootCauseKey | String | The event key of the selected event’s root cause. Populated by the RCA Availability Engine microservice. |
| Score | Number | If a Priority value is set on a device, this field can be set to the event Severity * Priority to increase the number. Event Filters can be configured to show the hi-score Events first, or other processing may utilize this value. |
| Service | Alphanumeric | The SLM applications will set this to the name of the SLM Service if a violation is detected. |
| ServiceImpact | Number | Flag to indicate a provided service has been impacted. Allowed values: 0 = Not service impacting, 1 = Service impacting |
| Severity | Number | Must be a value between 0 and 5. The event will change colors in the Event List based on the severity. |
| ShardID | Number | The database shard that the event data came from. This is not an event field in the database, but it appears in event lists. |
| SubDeviceType | Alphanumeric | Used for vendor or model information for the event. Customer.rules will set this to Unknown if not previously set. |
| SubMethod | Alphanumeric | Usually set in rules to the specific processing that was done on the event. For example, the MIB that defines the trap, or the string "watchdog", or "Unknown". |
| SubNode | Alphanumeric | The Instance of the Event. For example, the ifIndex value of a linkUp trap. The mechanization CorrelateProblemResolutions requires that this is the same for correlating events. This field was SubAlarmGroup in Assure1 v4. |
| Summary | Text | The free-form text that is usually shown in the Event List. It should be a standalone description of the event. The Default display will also show the user the Node, EventType, Count, FirstReported and LastReported fields, so those details do not need to be repeated here. In the UI, the default display for event lists calls this field Event Text. |
| TicketFlag | Number | A flag for the ticket state of this event. 0 = no ticket; 1 = ticket to be created; 2 = processing, 3 = opened. |
| TicketID | Alphanumeric | The Ticket ID associated with this Event in the external system. Should be populated by the process done to open the ticket in the external system. |
| ZoneID | Number | Can be set to the Device Zone that the device is in. |