In essence, i want SL to ignore the last field (glbID) when it tries to match the events.
Is this possible?
Thanks
Best answer by BryanHarding
I was wondering could i use identifier Pattern?
For example, i could use %1-%2-%3-%4 so ignores the final field?
In short, no, as that’s not how the Identifier Pattern and Identifier Format fields work.
Identifier Pattern is utilized to extract data from the source alert message for the purposes of setting the sub-entity and setting variable values that may be used within Identifier Format. Regardless of whether the Identifier Format value is referenced in the Event Message, it does set the sub-entity value for the resulting event record. For an event record to increment occurrence rather than create a new event record, regardless of the Message Match setting, the record has to match on the following criteria:
Entity (ex. device)
Alert source type (and alert ID if Internal or Dynamic Application sourced)
Sub-entity
Sub-entity Name
Sub-entity ID
Sub-entity Type
In the instance of using Identifier Pattern and Identifier Format you’re setting the sub-entity to be what you’re extracting from the source alert; if that varies then that’ll be seen as an alert for a different sub-entity even if both event records align to the same device.
The Message Match event policy setting with API alerts determines if Skylar One will generate a new event or update an existing event record based on whether the resulting event message contains the same text; if set to enabled a new event record will be created unless the event message matches exactly.
In your example, if the event policy is configured with %M (meaning the alert message is included in the resulting event message) you have two different alert messages resulting in two different event messages (“Issue: broken ID: 39393” vs. “Issue: broken ID: 53291”) thus resulting in two separate event records.
If you disabled Message Match for the event policy in this scenario, the single event would have the count incremented and the existing event record’s event message would be updated to reflect that latest event message generation.
The reason i have enabled message match is because it will post various issues which i don’t want to be created as one event. I guess the easiest way to explain is i want Message Match enabled for some fields and not one.
For example, i could use %1-%2-%3-%4 so ignores the final field?
In short, no, as that’s not how the Identifier Pattern and Identifier Format fields work.
Identifier Pattern is utilized to extract data from the source alert message for the purposes of setting the sub-entity and setting variable values that may be used within Identifier Format. Regardless of whether the Identifier Format value is referenced in the Event Message, it does set the sub-entity value for the resulting event record. For an event record to increment occurrence rather than create a new event record, regardless of the Message Match setting, the record has to match on the following criteria:
Entity (ex. device)
Alert source type (and alert ID if Internal or Dynamic Application sourced)
Sub-entity
Sub-entity Name
Sub-entity ID
Sub-entity Type
In the instance of using Identifier Pattern and Identifier Format you’re setting the sub-entity to be what you’re extracting from the source alert; if that varies then that’ll be seen as an alert for a different sub-entity even if both event records align to the same device.
