How do I enrich alarms using the SOI event integration

Document ID : KB000049312
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

I have integrated the SOI Event Integration (EI) into Spectrum Infrastructure Manager but am having trouble enriching alarms.

Solution:

Here is how to enrich an alarm:

For our example scenario we chose the Trouble Ticket ID field which all alarms have by default and is normally blank unless manually populated, or populated automatically by other data sources such as the Spectrum Service Desk Integration. This column is not displayed in Alarm views out of the box. To display it, right click on any column in the Alarms tab of the Spectrum OneClick client console and select the 'Trouble Ticket ID' column to be displayed.

On the EI Manager Host, if we look at the spectrum-src.xml file found in the directory:
\Program Files (x86)\CA\Event Integration\Manager\PolicyStore\sources

This is one of the default lines in this file:
<Field format="[{0},{1},{2}]" input="spectrum_AlarmId,spectrum_AlarmType,spectrum_Cause" output="internal_msgvalue"/>

Here is one that has been edited:
<Field format="{0}-enhanced by EI" input="spectrum_TroubleTicket" output="spectrum_Alarm_TroubleTicketID"/>

The first double quote ("") section tells EI what to get from the incoming alarm. The {0} means take the value that is already there, and add whatever else is in the "". So in this case if there was a value, for example '456', take 456 and append '?enhanced by EI' after that value.

NOTE: *** if there is no value, this rule will fail. In the example above, if the trouble ticket id is blank the rule will fail.

The second value between "" tells EI what part of the alarm we are looking at and pulling the value referenced in the first section from.

The third value between "" tells EI what section of the alarm to put the new value into, it must always start with spectrum_Alarm (case sensitive) and then the actual field name.

Here is a rule that will actually work for us for this test, since the Trouble Ticket ID field will be blank.
<Field format="3-abc" input="" output="spectrum_Alarm_TroubleTicketID"/>

Note the {0} is gone from the first section, so we are not expecting any input and will instead add the value '3-abc'. Since we are not expecting input, the second section is also blank.

Finally, we have defined what field in the alarm to enhance in the third section.

The following is a rundown of this process and then we show the actual alarm with the enriched value from the EI Integration.

The EI framework service (CA EI IFW) gets the alarms from SPECTRUM and returns the enriched alarms to SPECTRUM:

Figure 1

The CORE service ( CA EI CORE) seen below is the service that actually performs the processing and enriching of the alarms:

Figure 2

Here we see a default alarm in Spectrum for contact lost due to an incorrect SNMP Community String in the following screen shots:

Figure 3

Figure 4

Figure 5

Here we see the alarm raised and the Trouble Ticket ID field is blank:

Figure 6

Now on the EI host server the CORE ( CA EI CORE) service has been stopped which triggers the framework service (CA EI IFW) to pick up the alarm and it creates a file in the inbox folder as seen below:

Figure 7

Then the CORE (CA EI CORE) service is restarted and we see the *.in files have been moved to the Wipbox (work in progress) folder and are being processed; the *.in files are being turned into the *.out file which gets sent back to Spectrum. (The .out file is the last one in the screenshot):

Figure 8

For the sake of this article, we have stopped the framework service (CA EI IFW) so we can see the *.out file it in the Outbox folder once it is finished being created:

Figure 9

Here we see the Events created in Spectrum that report that a Spectrum Alarm has been received in an enriched form:

Figure 10

Here we see the Alarm that has been enriched, which now has a value, for the Trouble Ticket ID field added to it:

Figure 11