Skip to content

Event class mappings

To view event class mappings, select EVENTS > EVENT CLASSES, and then select Mapping Instances in the drop-down list. This allows you to see all event class mappings in a single location. The ID column shows the mapping's event class.

You can create event class mappings directly from the event classes, but this requires that you know the event class key. A simpler way to create event class mappings is through the event console:

  1. Select an event that you want to match in the event console.
  2. Click the Reclassify an Event icon. The Classify Events dialog appears.
  3. Select the event class to which you want to map the event, and then click Submit. This creates the event class mapping with the correct event class key, and example text against which you can develop your regular expression.

When editing an event class mapping, you can control which events it will match, as well as other properties:

  • Matching tab
    • Event Class Key- Must match the incoming event's Event Class Key field for this mapping to be considered as a match for events.
    • Rule- Provides a programmatic secondary match requirement. It takes a Python expression. If the expression evaluates to True for an event, this mapping is applied.
    • Regex- The regular expression match is used only in cases where the rule property is blank. It takes a Perl Compatible Regular Expression (PCRE). If the regex matches an event's message field, then this mapping is applied.
    • Explanation- Free-form text field that can be used to add an explanation field to any event that matches this mapping.
    • Resolution- Free-form text field that can be used to add a resolution field to any event that matches this mapping.
  • Transforms tab- Takes Python code that will be executed on the event only if it matches this mapping. For more details on transforms, see the section titled "Event Class Transform."
  • Configuration Properties tab- Listing of Configuration Properties defined for this event class.
  • Sequence tab- Sequence number of this mapping. This number determines the order in which mappings with the same event class key are evaluated.

Mappings have the same configuration properties as event classes. Any configuration property set locally on a mapping will override the same property set on the event class. This works in the same hierarchical, most specific match, concept that device class and device configuration properties work.

When a captured event occurs, it will not have a pre-defined event class. For this type of event, you must create an event class mapping if you want to affect the event. If a captured event occurs and none of the event class mappings in the system match it, its event class will be set to /Unknown, and it will retain all of the default properties with which it began.

The next step of evaluation for events without an event class is to check the Event Class Key field. This controls which event class mapping the event will match. If the event has a blank event class key, or its event class key does not match any event class mappings in the system, the special "defaultmapping" event class key is searched for instead. This provides for a way to map events even if they have a blank or unpredictable event class key.