search

Event fields

To enter the event management system, an event must contain values for the device, severity, and summary fields. Resource Manager rejects events that are missing any of these fields.

Basic event fields are as follows:

  • Summary
  • Device
  • Component
  • Severity
  • Event Class Key
  • Event Class
  • Collector

Events include numerous other standard fields. Some control how an event is mapped and correlated; others provide information about the event.

Device field

The device field is a free-form text field that allows up to 255 characters. Resource Manager accepts any value for this field. If the device field contains an IP address or a hostname, then the system will automatically identify and add the event to the corresponding device.

Resource Manager automatically adds information to incoming events that match a device. Fields added are:

  • prodState - Specifies the device's current production state.
  • Location - Specifies the location (if any) to which the device is assigned.
  • DeviceClass - Classifies the device.
  • DeviceGroups - Specifies the groups (if any) to which the device is assigned.
  • Systems - Systems (if any) to which the device is assigned.
  • DevicePriority - Priority assigned to the device.

Status field

The Status field defines the current state of an event. This field is often updated after an event has been created. Values for this numeric field are 0-6, defined as follows:

NumberNameDescription
0NewInitial state upon creation
1AcknowledgedA user has seen and marked the event
2SuppressedA transform has suppressed the event
3ClosedA user action has closed the event
4ClearedA corresponding clear event has cleared the event
5DroppedA transform has dropped an event, so the event it not persisted
6AgedAutomatically closed because of the severity and last seen time values

Severity field

The following table maps event severity levels to their labels and colors.

LevelLabelColor
5CriticalRed
4ErrorOrange
3WarningYellow
2InfoBlue
1DebugGrey
0ClearGreen

Summary and message fields

The summary and message fields are free-form text fields. The summary field allows up to 255 characters. The message field allows up to 4096 characters. These fields usually contain similar data.

The system handles these fields differently, depending on whether one or both are present on an incoming event:

  • If only summary is present, then the system copies its contents into message and truncates summary contents to 128 characters.
  • If only message is present, then the system copies its contents into summary and truncates summary contents to 128 characters.
  • If summary and message are both present, then the system truncates summary contents to 128 characters.

As a result, data loss is possible only if the message or summary content exceeds 65535 characters, or if both fields are present and the summary content exceeds 128 characters.

To ensure that enough detail can be contained within the 128-character summary field limit, avoid reproducing information in the summary that exists on other fields (such as device, component, or severity).

Other fields

The following table lists additional event fields.

FieldDescription
dedupidDynamically generated fingerprint that allows the system to perform de-duplication on repeating events that share similar characteristics.
componentFree-form text field (maximum 255 characters) that allows additional context to be given to events (for example, the interface name for an interface threshold event).
eventClassName of the event class into which this event has been created or mapped.
eventKeyFree-form text field (maximum 128 characters) that allows another specificity key to be used to drive the de-duplication and auto-clearing correlation process.
eventClassKeyFree-form text field (maximum 128 characters) that is used as the first step in mapping an unknown event into an event class.
eventGroupFree-form text field (maximum 64 characters) that can be used to group similar types of events. This is primarily an extension point for customization. Currently not used in a standard system.
stateChangeLast time that any information about the event changed.
firstTimeFirst time that the event occurred.
lastTimeMost recent time that the event occurred.
countNumber of occurrences of the event between the firstTime and lastTime.
prodStateProduction state of the device, updated when an event occurs. This value is not changed when a device's production state is changed; it always reflects the state when the event was received by the system.
agentTypically the name of the daemon that generated the event. For example, an SNMP threshold event will have zenperfsnmp as its agent.
DeviceClassDevice class of the device that the event is related to.
LocationLocation of the device that the event is related to.
SystemsPipe-delimited list of systems that the device is contained within.
DeviceGroupsPipe-delimited list of systems that the device is contained within.
facilityOnly present on events coming from syslog. The syslog facility.
priorityOnly present on events coming from syslog. The syslog priority.
ntevidOnly present on events coming from Windows event log. The NT Event ID.
owneridName of the user who acknowledged this event.
clearidOnly present on events in the archive that were auto-cleared. The evid of the event that cleared this one.
DevicePriorityPriority of the device that the event is related to.
eventClassMappingIf this event was matched by one of the configured event class mappings, contains the name of that mapping rule.
monitorIn a distributed setup, contains the name of the collector from which the event originated.

In addition to the standard fields, the system also allows events to add an arbitrary number of additional name/value pairs to events to give them more context.