Work with event processing flows - Application Real-Time Monitoring Service

After you integrate multiple alert sources with the alert management module of Application Real-Time Monitoring Service (ARMS), you can configure event processing flows to filter and classify events that are generated by the alert sources. This topic describes how to create an event processing flow.

Create an event processing flow

Log on to the ARMS console.
In the left-side navigation pane, choose Alert Management > Event Processing Flows.
On the Event Processing Flow page, click Create Processing Flow in the upper-right corner.
On the Create Processing Flow page, enter a name for the event processing flow in the Basic Information section.

In the Flow Action Settings section, configure the event processing flow.

Drag actions from the Available Actions section to the Event Processing Flow section.

In the rightmost section, configure the trigger conditions for each action in the event processing flow.

Note After you configure the trigger conditions, you can perform actions on alert fields in the Test Data section to check whether the actions can be triggered.


Action	Description	Example
Trigger Conditions	Triggers the current event processing flow when events meet the trigger conditions.	Scenario You want the current event processing flow to be triggered when events are generated by an integration named Container CPU utilization alert. Configuration Set the following condition: `_aliyun_arms_integration_name is equal to container CPU utilization`.
Filter Events	Filters events. Events that meet the filter conditions skip the current event processing flow and proceed to the next event processing flow. Events that do not meet the filter conditions proceed to the next action in the current event processing flow. Note If no event is generated for your alert rule, you can filter events by configuring the `_aliyun_arms_integration_id` and `_aliyun_arms_integration_name` fields that are preset in ARMS. You can configure event fields such as severity and alertname by using one of the following methods: Manually enter the fields. Add an alert rule that meets a condition to generate an event for the alert rule. After an event is generated for the alert rule, you can filter events by configuring event field values.	Scenario You want events whose severity levels are P4 to skip the current event processing flow. Configuration Set the following condition: `severity is equal to P4`.
Identify Event Types	Identifies the class and type of an event based on the event field values that you specify. This allows you to query and collect statistics about events and alerts. The following event classes can be identified: Network Storage Compute OS Application Database Change The following event types can be identified: Availability Latency Capacity Error Unknown	Scenario You want the system to identify event classes and event types based on the values of the `alertname` and `message` fields. Configuration Set Fields Used to Identify Types to `alertname` and `message`. Result The system writes the class and type of an event to the `class` and `type` fields of the event.
Set Event Level	Sets the severity level of an event to a specified value.	Scenario You want to set the severity levels of events that are generated for your core services to P1 if the value of the class field of the events is network. Configuration Set the following condition for the Trigger Conditions action: `class is equal to network`. In the Set Event Level action, select P1 for the Set Event Level field. Result
Set Business Tags	Adds the label field to an event. This allows you to query and collect statistics about events and alerts. Field: uses the value of a specified field of an event as the value of the `label` field. Value: specifies a value for the `label` field.	Scenario You want to use the severity levels of events as the values of the label field. This way, you can collect statistics about events of each severity level. Configuration In the Update Following Value to Business Tag section, select `Field and severity`. Result The `label` field is added to an event. The value of the `label` field is the same as the value of the `severity` field.
Delete Fields	Deletes the specified fields from an event.	Scenario Alert events contain the `location` and `region` fields, but the `location` field already contains region information. You want to delete the `region` field from events. Configuration Set the Delete Fields parameter to `region`.
Extract Content	Allows you to use a regular expression to extract information from a field and populate new fields with the information.	Scenario Alert field: `"location":"cn-hangzhou-hz4"` You want to extract information about the region and location from the `location` field and populate the `region` and `datacenter` fields with the information. Configuration Fields to Be Extracted: `location` Regular Expressions: `([a-zA-z]+-[a-zA-z]+)-(.*)` Padding Results: `region` and `datacenter` Result
Match Updates	Sets the field to be updated to a specified value if the match field contains the specified content.	Scenario Alert field: `"message":"ping to i-bp1e42d0ydxf7pstuepz > 100ms"` You want to update the class field of an event to network if the `message` field contains `ping`. Configuration Matching Fields: `message` Update Field Values When Following Conditions Are Met: Includes: `ping`. Output `network` Note You can configure a specific value or a regular expression for the Includes parameter. Fields for Padding: `class` Result
Enrich Fields	Allows you to call an API operation or query a local Excel data source, generate an output value, and then populate the destination fields with the output value. Note The data source feature is in canary release. To use the feature, contact Alert Management technical support (DingTalk account ID: `d9j_rg9e4062f`).	Scenario You want to query a hostname in the uploaded Excel data source based on the IP field of the alert event, and then populate the `hostname` field with the hostname. Configuration Select data source: Obtain Host Data Source - Excel Match update mode: `ip` (Excel column name) Equal `ip` (Excel column value) Fields for Padding: `$.hostName` (Column name returned by the Excel query) Fill `hostname`
Replace Content	Replaces the content of a specified field. You can use a regular expression to search for the content that you want to replace.	Scenario You want to replace the string `d.b.` with the string `database`. Configuration Content to Be Replaced: `message` Replace Content: `d\.b\` Note You can specify a specific value or a regular expression. With: `database` Result
Split Content	Splits the value of a specified field into multiple values by using a delimiter, and populates the destination fields with the values.	Scenario Alert field: `"message":"myhostid_myuserid_myruleid"` You want to split the value of the `message` field into `hostid`, `userid`, and `ruleid`, and populate new fields with the values. Configuration Field to Be Split: `message` Delimiter: `_` Fields Used to Pad Splitting Results: `hostId`, `userId`, and `ruleId` Note The fields are populated in sequence. Result
Pad Template	Enter the template content, for example, the source of the event of type `${class}` is `${source}`. The variable name is the field name after the event is integrated. The template is rendered and then padded into the target field.	Scenario Alert field: `"source":"server", "class":"network"` You want to populate the `message` field with the following template: `${class} events are from ${source}`. The template references the values of the `class` and `source` fields. Configuration Template to Be Padded: `${class} events are from ${source}`. Fields for Padding: `message` Results
Discard	Discards an event. You can use this action only as the last action of an event processing flow. You do not need to configure this action.	N/A.

In the Test Data section, enter fields and field values, or click Select From Events to select an existing alert event, and then click Test.
Click Save.
After you create an event processing flow, events from alert sources are filtered by the event processing flow. You can view the results on the Alert Event History page. For more information, see View historical alert events.

Manage an event processing flow

After you create an event processing flow, you can perform the following operations on the event processing flow:

Rearrange event processing flows: find the event processing flow that you want to manage and click Up or Down in the Actions column.
Enable or disable an event processing flow: find the event processing flow that you want to manage and click Enable or Stop in the Actions column.
Modify an event processing flow: find the event processing flow that you want to modify and click Edit in the Actions column.
Delete an event processing flow: find the event processing flow that you want to delete and click Delete in the Actions column. In the message that appears, click OK.

View alert events after they are processed

In the left-side navigation pane, choose Alert Management > Alert Event History.

On the Alert Event History page, you can view all alert events. You can click the name of an alert event to view the details of the event. For more information, see View historical alert events