8 Replies Latest reply on Jan 27, 2019 4:35 AM by Stephane Guedon

    MRL-Event severity update based on event slot value

    Alvaro Paronuzzi
      Share This:

      Dear MRL experts,

       

      this is what I am trying to achieve with my mrl rules: according to the value inside an event slot, update the event severity using a data table.

       

      Example of Data Table:

       

      SKL_CIA_TO_BMC_SEVERITY;

          cia_severity = 3;

          bmc_severity = MINOR;

      END

       

      SKL_CIA_TO_BMC_SEVERITY;

          cia_severity = 4;

          bmc_severity = MINOR;

      END

       

      SKL_CIA_TO_BMC_SEVERITY;

          cia_severity = 5;

          bmc_severity = MAJOR;

      END

       

      SKL_CIA_TO_BMC_SEVERITY;

          cia_severity = 6;

          bmc_severity = MAJOR;

      END

       

      SKL_CIA_TO_BMC_SEVERITY;

          cia_severity = 7;

          bmc_severity = CRITICAL;

      END

       

       

      Everytime the event slot value gets updated (so I think I should use a "when" clause) I should check the corresponding severity value and update the event severity according to the data table.

       

      My current version of the mrl rules is:

       

      refine RefineSecurityEvSev: SKL_SECURITY_EV ($EV) where [$EV.status == OPEN]

      using {SKL_CIA_TO_BMC_SEVERITY ($SEVMAP) where [$SEVMAP.cia_severity equals $EV.skl_isms_cia]}

      {

          $EV.severity = $SEVMAP.bmc_severity;

      }

      END

       

      This version works for the first time, but when the skl_isms_cia event slot changes, the change is not detected by the rule because the "where" condition is evaluated only once. I think I should add a "when" clause on the skl_isms_cia slot changes but I currently don't understand where I should add it.

       

      Thanks in advance for any help you can provide.

       

      Regards,

      Al

        • 1. Re: MRL-Event severity update based on event slot value
          Brendan Murray

          Hi Al,

           

          The Refine rule phase is not the correct one to use for this requirement. You want to use the Execute phase. Execute is specifically designed to be triggered by changes to slot values of existing events. Refine acts only on new events.

           

          Here is a link to the documentation on the Execute phase: Execute rules - BMC TrueSight Infrastructure Management 10.7 - BMC Documentation

           

          Regards,

           

          Brendan

          • 2. Re: MRL-Event severity update based on event slot value
            Alvaro Paronuzzi

            Hi Brendan,

             

            thanks for the input.

            If my rule operates in the execute phase I am 100% sure that I can trigger an action based on the "when" clause, but how can this rule access the data table and retrieve the information at that point of the execution?

            Thanks in advance for your help.

             

            Al

            • 3. Re: MRL-Event severity update based on event slot value
              Brendan Murray

              Hi Al,

               

              Good question. The Execute phase does not support the using clause , (CORRECTION: I have learned since posting this message that the Execute phase does support the use of the using clause. See my post below for more details) so the only way that I can see to do this is to use the generate_event primitive in your Execute rule to create a new event which can trigger your refine rule to do the table lookup. You would change your refine rule so that it is triggered by the event you generate from your Execute rule. The generate_event primitive is computationally expensive, so use it with caution. As long as your Execute rule is not firing hundreds of times a minute, I think the performance impact should be relatively low.

               

              There may be another way to solve this that I have not thought of. I would be interested to hear if anyone else has a better approach.

               

              Regards,

               

              Brendan

              • 4. Re: MRL-Event severity update based on event slot value
                Alvaro Paronuzzi

                Hi Brendan,

                 

                I implemented the severity mapping inside the execute rule instead of having it inside the data table.

                Maybe it's not the best solution but it works like a charm...

                 

                Regards,

                Al

                • 5. Re: MRL-Event severity update based on event slot value
                  Brendan Murray

                  Hi Al,

                   

                  If it works and performs well, that's really all that matters. Having said that, I should mention that if you are using if-then-else clauses, especially nested ones, in your rule to do the severity mapping, that may not be the most efficient way to do it. We recommend avoiding complex, nested if-then-else clauses for performance reasons. There are ways of using LIST OF strings and string searches as mini data tables in rules. As long as you are not seeing performance problems, you probably don't need to worry about this. It's just something to keep in mind.

                   

                  Feel free to post your rule code on this thread. It may help others to solve similar problems.

                   

                  Thanks!

                   

                  Regards,

                   

                  Brendan

                  • 6. Re: MRL-Event severity update based on event slot value
                    Alvaro Paronuzzi

                    execute UpdateSecurityEvSev: SKL_SECURITY_EV ($EV)

                    where [$EV.status != CLOSED]

                    when $EV.skl_isms_cia

                    {

                       #CIA vs. Severity mapping

                       if $EV.skl_isms_cia == 0 then

                       {

                          $EV.severity = INFO;

                       }

                       else

                       { 

                          if $EV.skl_isms_cia == 1 OR $EV.skl_isms_cia == 2 then

                          {

                             $EV.severity = WARNING;

                          }

                       else

                       {

                          if $EV.skl_isms_cia == 3 OR $EV.skl_isms_cia == 4 then

                             {

                                $EV.severity = MINOR;

                             }

                      else

                      {

                         if $EV.skl_isms_cia == 5 OR $EV.skl_isms_cia == 6 then

                                {

                                   $EV.severity = MAJOR;

                                }

                      else

                      {

                        if $EV.skl_isms_cia == 7 OR $EV.skl_isms_cia == 8 OR $EV.skl_isms_cia == 9 then

                        {

                                       $EV.severity = CRITICAL;

                                   }

                        else

                        {

                            #Unexpected value: No value expected outside 0-9

                            $EV.severity = UNKNOWN;

                        #Trace unexpected case

                        concat(['[ERROR] Unexpected CIA value - No value expected outside 0-9'],$ERRMSG);

                                       opadd($EV,'',$ERRMSG,'');

                        }; 

                      };

                      };

                       }; 

                       };

                    }

                    END

                     

                    Regards,

                    Al

                    • 7. Re: MRL-Event severity update based on event slot value
                      Brendan Murray

                      Hi Al,

                       

                      I consulted with my BMC colleague, Charles Kelley, who knows more about MRL than I do, on this question and he told me that I was wrong about the execute phase not being able to use the 'using' clause. In fact, you can have a 'using' clause in an execute rule, it's just not explicitly stated in the documentation. I apologize for misleading you, but the documentation is not very clear on this subject. Obviously, if your rule above works, you don't need to change it, but, for the record, here is a working solution that uses a data table and the 'using' clause:

                       

                      execute UpdateSecurityEvSev: SKL_SECURITY_EV ($EV) where [$EV.status == OPEN]

                          using

                          {

                              SKL_CIA_TO_BMC_SEVERITY ($SEVMAP) where [$SEVMAP.cia_severity == $EV.skl_isms_cia]

                          }

                          when $EV.skl_isms_cia

                          {

                              $EV.severity = $SEVMAP.bmc_severity;

                          }

                      END

                       

                      This second rule is only necessary if you want include your "value out of range" error check. I am putting it in a separate rule because it won't work if I put it in the rule above. The reason is that, if the value is out of range, the 'using' lookup will fail to find a match. When that happens, the rule terminates. The rest of the rule is never executed and the event severity defaults to WARNING. Putting the if-then-else logic into a second rule solves this problem.

                       

                      # Change severity values outside 0-9 range to UNKNOWN

                      execute UpdateSecSevSevUnknown: SKL_SECURITY_EV ($EV) where [$EV.status == OPEN]

                             when $EV.skl_isms_cia

                             {

                             if ( $EV.skl_isms_cia < 0 OR $EV.skl_isms_cia > 9 ) then

                                   {

                                          #Unexpected value: No value expected outside 0-9

                                          $EV.severity = UNKNOWN ;

                                          #Trace unexpected case

                                          $ERRMSG = concat(['[ERROR] Unexpected CIA value: ',inttostring($EV.skl_isms_cia),' - No value expected outside 0-9']);

                                          opadd($EV,'',$ERRMSG,'');       

                                   }

                             }

                      END

                       

                      Note also that my 'concat' function above concatenates a list of three comma-separated strings. The concat function in your rule is not really necessary because your list contains only a single string. You could just as easily have coded it this way:

                       

                      $ERRMSG = '[ERROR] Unexpected CIA value - No value expected outside 0-9';

                       

                      If you are interested, here is another coding approach using the 'unless' clause that Charles suggested.  He did not have time to test it, so I can't guarantee it will work first time, but it should work. Again, it requires two rules in order to include your error check.

                       

                      execute UpdateSecurityEvSev: SKL_SECURITY_EV ($EV)

                             using

                          {

                              SKL_CIA_TO_BMC_SEVERITY ($D) where [$D.cia_severity == $EV.skl_isms_cia]

                          }

                          when $EV.skl_isms_cia

                          {

                              $EV.severity = $D.bmc_severity;

                          }

                      END

                       

                      execute UpdateSecurityEvSev2: SKL_SECURITY_EV ($EV)

                             unless

                          {

                              SKL_CIA_TO_BMC_SEVERITY ($D) where [$D.cia_severity == $EV.skl_isms_cia]

                          }

                          when $EV.skl_isms_cia

                          {

                              $EV.severity = UNKNOWN;

                          }

                      END

                       

                      Finally, Charles also pointed out that the best reference for MRL coding examples is the default knowledge base that ships with the product. If you are ever looking for guidance on what is possible in MRL, search the OOTB KB using 'grep' or the Windows 'find' command for the appropriate keywords. There are lots of great examples. For instance, mc_sm_attach.mrl has an execute rule with a using clause.

                       

                      Regards,

                       

                      Brendan

                      2 of 2 people found this helpful
                      • 8. Re: MRL-Event severity update based on event slot value
                        Stephane Guedon

                        Hi

                         

                        Just take care, execute phase may mostly be used when the slot value may change in time ... If value is static, you may use the new phase.


                        This can have performance impacts.


                        Regards