V12.

cover

Configuring IBM Cloud Pak for AIOps

Event ManagerFront cover
Notebook
Configuring IBM Cloud Pak for AIOps Event
Manager
Course code TN412 / ZN412 ERC 1.0

IBM Training
March 2023 edition
Notices
© Copyright International Business Machines Corporation 2023.
This document may not be reproduced in whole or in part without the prior written permission of IBM.
US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available in your area. Any reference to an IBM product, program,
or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent
product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's
responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this
document does not grant you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing, IBM Corporation, North Castle Drive, MD-NC119, Armonk, NY 10504-1785, US
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT,
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied
warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s)
and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an
endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those
websites is at your own risk.
IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any
other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of
those products.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible,
the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to
actual people or business enterprises is entirely coincidental.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.
V12.0
Contents

TOC

Contents
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii

Course description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Agenda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Unit 1. Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
1.1. Event Manager overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Event Manager overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
What is an event? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
What is event management? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Event management challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
IBM Cloud Pak for AIOps – Event Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
IBM Cloud Pak for AIOps Event Manager: actual outcomes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10
AIOps event Grouping: industry-leading advanced event correlation . . . . . . . . . . . . . . . . . . . . . . . . .1-11
AIOps event grouping example: temporal groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-12
AIOps event grouping example: topology groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-13
AIOps event grouping example: scope-based groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
AIOps intelligent event management: seasonality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-16
AIOps intelligent event management: runbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17
AIOps intelligent event management: event enrichment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18
Event Manager terminology: ObjectServer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19
Event Manager terminology: probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-20
Types of probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-21
Event Manager terminology: webhooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-22
Event Manager terminology: gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-23
Event Manager terminology: WebGUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-24
Event Manager terminology: AIOps user interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-25
Event Manager terminology: Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-26
Event Manager terminology: WebSphere administrative console . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-28
1.2. About your lab environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-29
About your lab environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-29
Your lab topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-30
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-31
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-32
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-33
Exercise: Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-34
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-35
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-36

Unit 2. Incoming integrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
2.1. Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
Probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4
About probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Types of probes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Probe operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

© Copyright IBM Corp. 2023 iii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Contents

TOC Probe Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-10

Rules file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-12
Rules file example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-13
Tokens and fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-14
Testing and logic in rules files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-15
Lookup tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16
Lookup table example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17
Netcool Knowledge Library (NcKL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-19
2.2. Webhooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20
Webhooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-20
About inbound webhooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-21
Incoming integrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-22
Custom inbound webhooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-23
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-24
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-25
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-26
Exercise: Incoming integrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-27
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-28
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-29

Unit 3. Temporal and seasonal event analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Advanced event analytics: temporal grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3
Temporal pattern grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
Temporal grouping policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
Seasonality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Training event analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Managing event analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-11
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-12
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-13
Exercise: Temporal and seasonal event analytics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-14
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-15
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16

Unit 4. Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Topology overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3
Topology maps and views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4
Topology grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Probable cause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
Resources and edges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7
Observers and observer jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
The File observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-10
The REST observer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12
Resource and edge properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-13
Topology group templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-14
Topology rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-15
Topology dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-16
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-17
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-18
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-19
Exercise: Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-20
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-21
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-22

© Copyright IBM Corp. 2023 iv

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Contents

TOC Unit 5. Scope-based groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Scope-based groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Configuring scope-based groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4
Viewing scope-based groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5
Super groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9
Exercise: Scope-based groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-10
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-11
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-12

Unit 6. Runbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
About runbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-3
Journey to automation with runbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-5
Runbook personas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-6
Runbook parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7
Connections to target systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-8
Runbook automations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-9
Running a runbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-10
Creating runbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-11
Runbook triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-12
Runbooks and events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13
Runbook history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-14
Example user feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-15
Runbook statistics dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-16
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-17
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-18
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-19
Exercise: Runbooks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-20
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-21
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-22

Unit 7. Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Topics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
7.1. ObjectServer structure and SQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
ObjectServer structure and SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4
What is an ObjectServer? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5
ObjectServer databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6
ObjectServer structure: alerts.status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
ObjectServer structure: alerts.details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9
ObjectServer structure: alerts.journal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-10
Introduction to ObjectServer SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-11
Command-line access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12
Viewing data with SELECT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-13
Fields and operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-14
IN operator and subqueries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-16
Modifying data with UPDATE and SET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-17
Creating data with INSERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-18
The administrator tool and the SQL workbench . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20
7.2. Automations and triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-21
Automations and triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-21
Triggers (automations) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-22

© Copyright IBM Corp. 2023 v

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Contents

TOC Trigger types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-23

Trigger general settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-24
Trigger groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-25
WHEN clause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-26
Trigger actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-27
Commonly used SQL commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-28
SQL code blocks: IF THEN ELSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-29
SQL code blocks: FOR EACH ROW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-30
Trigger response sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-31
Temporal trigger example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32
Database trigger example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-33
Signal trigger example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-35
Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-37
Adding journal entries with a trigger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-38
Trigger best practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-39
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-40
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-41
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-42
Exercise: Triggers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-43
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-44
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-45

Unit 8. User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Event Manager LDAP integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Adding users and groups with the WebSphere Administrative Console . . . . . . . . . . . . . . . . . . . . . . . . 8-4
Adding users and groups directly to OpenLDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-5
DASH Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-6
Key roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-8
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-10
Review questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-11
Review answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-12
Exercise: User management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-13
Exercise objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-14
Lab tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-15

Unit 9. Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-1

Unit objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-2
Course objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-3
IBM credentials: Badges and certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-4
Learn more about this product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-5
Additional resources (1 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-6
Additional resources (2 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-7
Additional resources (3 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-8
Additional resources (4 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9-9
Additional resources (5 of 5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-10
Unit summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-11
Course completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-12

© Copyright IBM Corp. 2023 vi

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Trademarks

TMK

Trademarks
The reader should recognize that the following terms, which appear in the content of this training
document, are official trademarks of IBM or other companies:
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide.
The following are trademarks of International Business Machines Corporation, registered in many
jurisdictions worldwide:
AIX® IBM Cloud® IBM Cloud Pak®
Insight® Jazz® Netcool®
Resource® Tivoli® WebSphere®
Linux® is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other
countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle
and/or its affiliates.
Ansible®, OpenShift® and Red Hat® are trademarks or registered trademarks of Red Hat, Inc. or its
subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
VMware is a registered trademark or trademark of VMware, Inc. or its subsidiaries in the United
States and/or other jurisdictions.
Other product and service names might be trademarks of IBM or other companies.

© Copyright IBM Corp. 2023 vii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Course description

pref

Course description
Configuring IBM Cloud Pak for AIOps Event Manager

Duration: 2 days

Purpose
The Event Manager component of IBM Cloud Pak for AIOps is a carrier-class service assurance
system. It collects and consolidates events and alarms from a wide variety of IT environments in
real time. These include servers, mainframes, Windows systems, applications, circuit switches,
voice switches, IP routers, SNMP devices, network management applications, existing
management systems and frameworks, among many others.
IBM Cloud Pak for AIOps Event Manager also adds intelligence to your events, allowing you to cast
a wide net to ingest relevant data from any source, process it in an intelligent, automated way,
analyze the data, see which applications or parts of the infrastructure are impacted, share it and
even suggest guided steps to mitigate or resolve issues automatically.
One key benefit of Event Manager's machine learning features is a reduction in the number of
events. By detecting, correlating, grouping, and suppressing the "noise" that IT systems generate,
your operators can focus their attention on key events that represent actual problems.
This 2-day course teaches you how to configure IBM Cloud Pak for AIOps Event Manager for
productive use. Through hands-on lab activities, you learn how to configure a new installation of
Event Manager to:
• Connect to event sources and enrich incoming events
• Apply machine learning to find relationships among events
• Add topology data to identify groups of connected resources and calculate root cause
• Create automated fixes for known problems and match them to incoming problem events
You also get hands-on practice with other common configuration tasks, such as user management
and database customization. This course focuses on IBM Cloud Pak for AIOps Event Manager
running on the Red Hat OpenShift Container Platform.

Audience
This course is intended for administrators of IBM Cloud Pak for AIOps Event Manager.

Prerequisites
• Experience with Linux
• Basic SQL knowledge
• Working knowledge of Kubernetes

© Copyright IBM Corp. 2023 viii

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Course description

pref • Experience with Red Hat OpenShift Container platform (RHOCP)

• Experience with IBM Cloud Pak for AIOps Event Manager is helpful, but not required

Objectives
• Describe the event management capabilities of the IBM Cloud Pak for AIOps
• Connect Event Manager to incoming data sources
• Work with Temporal and seasonal event analytics
• Configure the Event Manager topology service
• Create scope-based groups
• Create runbooks and map them to incoming events
• Work with triggers
• Manage users

Contents
• Overview
• Incoming Integrations
• Temporal and seasonal event analytics
• Topology
• Scope-based groups
• Runbooks
• Triggers
• User management

© Copyright IBM Corp. 2023 ix

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Agenda

pref

Agenda

Note

The following unit and exercise durations are estimates, and might not reflect every class
experience.

Day 1
(00:15) Course introduction
(00:45) Unit 1. Overview
(00:45) Exercise 1. Overview
(00:45) Unit 2. Incoming integrations
(01:00) Exercise 2. Incoming integrations
(00:45) Unit 3. Temporal and seasonal event analytics
(01:00) Exercise 3. Temporal and seasonal event analytics
(00:45) Unit 4. Topology
(01:00) Exercise 4. Topology

Day 2
(00:45) Unit 5. Scope-based groups
(01:00) Exercise 5. Scope-based groups
(00:45) Unit 6. Runbooks
(01:00) Exercise 6. Runbooks
(01:00) Unit 7. Triggers
(01:00) Exercise 7. Triggers
(00:45) Unit 8. User management
(00:45) Exercise 8. User management
(00:10) Unit 9. Summary

© Copyright IBM Corp. 2023 x

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Unit 1. Overview
Estimated time
00:45

Overview
This unit introduces you to key concepts and terminology about IBM Cloud Pak for AIOps Event
Manager. You also learn about your lab environment.

© Copyright IBM Corp. 2023 1-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Unit objectives • Describe event management

• Understand the unique benefits of IBM Cloud Pak for AIOps
• Learn about your lab environment

© Copyright IBM Corporation 2023

Figure 1-1. Unit objectives

© Copyright IBM Corp. 2023 1-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Topics • Event Manager overview

• About your lab environment

© Copyright IBM Corporation 2023

Figure 1-2. Topics

© Copyright IBM Corp. 2023 1-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
1.1. Event Manager overview

Event Manager
overview

Figure 1-3. Event Manager overview

© Copyright IBM Corp. 2023 1-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

What is an event?

In the context of IT management, an event

is a state change or detectible activity
within an IT resource, such as a server, a AWS EC2 auto scaling instance refresh started alert,
network device, or an application. obtained by HTTP request (such as curl):
{
Incoming SNMP trap, sent by a network device: "version": "0",
"id": "1299-1206-1514",
cefcModuleOperStatus lcslot-1 on router1 failed "detail-type": "EC2 Auto Scaling Instance Refresh
1.3.6.1.4.1.9.9.117.1.2.1.1.2.7 Started",
"source": "aws.autoscaling",
"account": "422",
"time": "2023-01-11T21:28:50Z",
Bad news from a log file, found manually: "region": "us-east-1",
00:00:48: %router1: %LINEPROTO-5-UPDOWN: Line protocol "resources": [
"trn-scaling-group"
on Interface Ethernet0/1, changed state to down ],
"detail": {
"InstanceRefreshId": "c2299-1677-2253",
"AutoScalingGroupName": "trn-scaling-group"
Failed ICMP ping test, run manually: }
PING 10.191.10.31 (10.191.10.31) 56(84) bytes of data. }
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-4. What is an event?

Many, if not most IT resources, are instrumented to emit or expose events related to their
operation. An event is a set of data that represents a status, activity, or condition on an IT
resource. The structure and content of an event varies depending on the device, system, or
application that generated the event.
There are four examples of an event on this slide.
• At the top left, a network device sent an SNMP trap indicating that a line card failed. This trap
is an event sent by the operating system of the network device.
• At the middle left, you see a log message from the same network device written to a SYSLOG
server. This log message indicates that a network interface is down. This log message is an
event.
• At the bottom left, an ICMP ping test failed. The output of the ping utility is an event, indicating
that there is no connectivity to that IP address.
• At the right, you see the response to an HTTP related to an Amazon Web Service EC2 instance.
The response, which indicates that an instance refresh has started on an auto-scaling group, is
also an event.
In case of a problem, how do IT operators and troubleshooters find events like these? The
answer is through toil. In these four examples alone, an operator must:
• Use an SNMP management tool to view and read the SNMP trap from the network device
• Connect to the SYSLOG server and search through the log file
• Use a ping utility to test connectivity
• Use an HTTP client to request and read the HTTP response from the Amazon Web Service
resource

© Copyright IBM Corp. 2023 1-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
Finding these events is a challenge. After they have been found, they are in dissimilar formats and
require expertise to interpret. Add to this complexity that IT operators are responsible for
thousands of IT resources, all of which are constantly emitting or exposing events. These events
can become too numerous for any person or team to possibly manage.

© Copyright IBM Corp. 2023 1-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

What is event management?

Event management software collects and normalizes event data,

then presents events for IT operators and troubleshooters in a
structured format.

Severity Node Origin Summary

Critical router1 SNMP Line Card lcslot-1 on Node101 has failed
Major router1 SYSLOG Line protocol on Interface Ethernet0/1, changed state to
down
Major 10.191.10.31 PING 10.191.10.31 is Unreachable
Informational trn-scaling-group Inbound EC2 Auto scaling instance named "trn-scaling-group" in
Webhook US East 1 region refresh started

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-5. What is event management?

Event management software collects events and presents them in a normalized way. Event
management software is often tightly integrated with other IT service management software such
as incident management, performance management, and change management solutions.
The example on this slide shows a sketch of what the four events in the previous slide would look
like in a normalized, structured format. Any event management software should have this
capability.
In practice, however, very few event management solutions are complete. They might be
vendor-specific, or they might only collect one type of data, such as only log messages or only
SNMP traps. Other event management systems do not have a collection system and are simple
event aggregators.
Many IT operations teams are successfully monitoring and gathering relevant data to better
understand how well their operations are performing, but establishing and maintaining a single
source of truth has often proven to be elusive.

© Copyright IBM Corp. 2023 1-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event management challenges

IT managers, operators, and troubleshooters all have challenges
reacting to events:
• Overwhelmed by event volume
• Too much "noise" in the events
• Days to detect and diagnose a complex issue
• Struggling with inconsistent alerts across several sources
• Flood reduction is difficult to implement and understand
• Operator workflow interrupted to swap between incomplete tools
• Skills: Only 10% percent of staff have 90% of critical expertise

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-6. Event management challenges

IT operations teams work with many events in their day-to-day routine. Some of these events are
relevant, some of these are not, and some events represent serious problems. It is difficult for
operators to know which events to act on first, and which events are just “noise” and do not need
attention. It is also difficult to discern if any of the thousands of events received are related to
each other, and were perhaps caused by the same problem.
In the case of an outage, these teams are often overwhelmed by a flood of events. Researching
the root cause of these problems is time consuming. Finding and implementing the fix adds more
time to the overall resolution.
Some event management solutions have flood control and event reduction mechanisms, but
these are difficult to configure, and the results are not well explained.
Often teams must switch between tools to understand their events. A complete event
management solution should gather as much information as possible about incoming events and
their business impact and technical blast radius, so IT operators don’t waste time gathering data
manually or from separate tools.
Another challenge is expertise within IT operations teams themselves. Much of the experience
and knowledge needed to react to events and troubleshoot problems is limited to a few team
members.

© Copyright IBM Corp. 2023 1-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

IBM Cloud Pak for AIOps – Event Manager

Intelligent event correlation, reduce noise and incidents with AI/ML capabilities

• Multiple event grouping capabilities • Aids quicker problem diagnosis

• Organize/group events by incident • Reduce MTTR
• Reduce alerts and trouble tickets • Save on operational costs
• Related alert information in one place

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-7. IBM Cloud Pak for AIOps – Event Manager

Using Cloud Pak for AIOps you can consolidate and automatically track multiple sets of data, from
different tools and resources, to empower your teams to react faster with more knowledge and
deeper understanding.
The Event Manager component within the Cloud Pak is a carrier-class event management system.
Many, if not most IT resources, are instrumented to emit or expose events related to their
operation. In addition to collecting, enriching, deduplicating, and displaying events, Event
Manager can use machine learning to analyze these oceans of events and present only the most
relevant to your staff. You may have heard Event Manager referred to as Netcool Operations
Insight.
IBM Cloud Pak for AIOps Event Manager also adds intelligence to your events, allowing you to cast
a wide net to ingest relevant data from any source, process it in an intelligent, automated way,
analyze the data, see which applications or parts of the infrastructure are impacted, share it and
even suggest guided steps to mitigate or resolve issues automatically.
One key benefit of Event Manager's machine learning features is a reduction in the number of
events. By detecting, correlating, grouping, and suppressing the "noise" that IT systems generate,
your operators can focus their attention on key events that represent actual problems.
This course focuses on IBM Cloud Pak for AIOps Event Manager running on the Red Hat OpenShift
Container Platform.

© Copyright IBM Corp. 2023 1-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

IBM Cloud Pak for AIOps Event Manager: actual outcomes

European bank: North American communications provider: European IT service provider:

• Able to reduce 2 million events per day • 50% reduction in number of events • Centrally managing 30 million events
by over 99% to only a few dozen presented to NOC operators and number daily
relevant actionable ones of tickets raised
• Level of Noise reduction >99,995% • One click context-based launch from
event to topology

European financial services group: European transportation company: North American communications provider:
• Overall incident reduction of 70% • Reduced the number of critical service • Reduced the number of alarms by 20%
events by 90% • Responds 40% faster and boosts
customer satisfaction

European transportation company: European energy and utility provider: North American communications provider:
• Event Manager grouped over 27,000 • 30% reduction in number of open • 38% Event Reduction
events into about 500 groups tickets • 12% Ticket Reduction
• 15% faster repair times • 5% Seasonal Tickets
• 10% reduction in effort needed to
make repairs

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-8. IBM Cloud Pak for AIOps Event Manager: actual outcomes

This slide shows actual results from clients using IBM Cloud Pak for AIOps Event Manager.

© Copyright IBM Corp. 2023 1-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
AIOps event Grouping: industry-leading advanced event
correlation

Event Manager automatically combines multiple grouping capabilities

• Topology-based event grouping
• Scope-based event grouping
• Temporal event grouping

An event can be a member of multiple groups

• Automatically combines groups whose events overlap
• Forming “super groups”

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-9. AIOps event Grouping: industry-leading advanced event correlation

Event Manager uses intelligent event correlation to find relationships among events. Events that
have been correlated are grouped together, so that your operators see fewer events overall. The
user interface makes it easy to see why events were grouped together so your operators
understand the relationship between events.
Groups that share a common event or events are combined, further reducing the total number of
actionable events.

© Copyright IBM Corp. 2023 1-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

AIOps event grouping example: temporal groups

Events that always seem to arrive together are grouped together to reduce
the total number of actionable events
AWS EC2 Auto Scaling Instance Refresh Started event AWS EC2 instance terminated event
{ {
"version": "0", "id":"2xToc4f-DLl16R",
"id": "1299-1206-1514", "detail-type":"EC2 Instance State-change
"detail-type": "EC2 Auto Scaling Instance Refresh Notification",
Started", "source":"aws.ec2",
"source": "aws.autoscaling", "account":"1012",
"account": "422", "time":"2023-01-11T21:29:54Z",
"time": "2023-01-11T21:28:50Z", "region":"us-east-1",
"region": "us-east-1", "resources":[
"resources": [ "arn:aws:ec2:us-east-1:1012:instance/i-
"trn-scaling-group" juyn1212"
], ],
"detail": { "detail":{
"InstanceRefreshId": "c2299-1677-2253", "instance-id":"i-juyn1212",
"AutoScalingGroupName": "trn-scaling-group" "state":"terminated"
} }
} }

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-10. AIOps event grouping example: temporal groups

This slide shows an example of two raw HTTP response events from resources that are running in
Amazon Web Services. Imagine that these two events always arrive together.
The event on the left indicates that an Amazon Web Service EC2 instance refresh has started on
an auto-scaling group. The event on the right indicates that an Amazon Web Service EC2 instance
has terminated.
Looking at the two events, there are no common properties or attributes between them: the
source, account, resources, and ID properties all have different values.
Event though these events always arrive together, and logically they seem to be related to an
instance scaling irregularity, it would be difficult for operators to see that relationship. Because IT
operators work with high volumes of events, finding these two among the thousands of other
events is challenging. Further, the instance refresh event is not as severe as the instance
termination event, so it might get lost in the noise of other events.
IBM Cloud Pak for AIOps Event Manager can detect events like these and group them together
based on their temporal relationship. Events that always seem to arrive together are
automatically grouped together. This is called temporal grouping.
Without this grouping, your IT operators might waste time troubleshooting each of these events
individually, and eventually discover by themselves that they are related.
With Event Manager’s built-in grouping analytics, your IT operators can save time by considering
this group of events as a single issue immediately. Your operators also see less “noise” in the
event list, because these two events are reduced to a single parent event.

© Copyright IBM Corp. 2023 1-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

AIOps event grouping example: topology groups

Events from resources that have a topological relationship are grouped

together to reduce the total number of actionable events. Event Manger
also suggests the probable root cause.
SNMP trap, sent by a network device: Bad news from a log file:
cefcModuleOperStatus lcslot-1 on router1 failed 00:00:48: %router1: %LINEPROTO-5-UPDOWN: Line protocol
1.3.6.1.4.1.9.9.117.1.2.1.1.2.7 on Interface Ethernet0/1, changed state to down

router1
Syslog server
Ethernet0/1

Server
10.191.10.31
Failed ICMP ping test:
PING 10.191.10.31 (10.191.10.31) 56(84) bytes of data.
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-11. AIOps event grouping example: topology groups

IBM Cloud Pak for AIOps Event Manager includes a topology service that can discover the
resources in your IT systems and the dependencies among them. Event Manager uses this
topology data to correlate events that have a topological relationship together.
In this example, there are three raw events happening in an IT network:
• At the top left, a network device sent an SNMP trap indicating that a line card failed.
• At the top right, you see a log message from the same network device written to a SYSLOG
server. This log message indicates that a network interface is down.
• At the bottom left, an ICMP ping test failed.
If you consider how these resources are connected, you get better visibility into the chain of
dependencies that caused these three events:
• The server 10.191.10.31 is unreachable because the interface connected to (Ethernet0/1) is
down. This explains why the ping test failed.
• The log message event occurred when interface Ethernet0/1 went down.
• Line card in slot 1 of router1 failed, indicated by the SNMP trap. Line card 1 of router1 contains
the interface Ethernet0/1.
Event Manager recognizes how the resources in these events are connected to each other and
groups them together to reduce the overall number of events. Event Manager also suggests the
root cause of the problem is the line card failure, because its failure led to the interface failure,
which in turn led to the server becoming unreachable.
As a result of topology-based event analytics, your operators see:
• These three events grouped into a single event

© Copyright IBM Corp. 2023 1-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
• A topology map showing how the card, interface, and server are connected
• The event that is the probable root cause of the overall problem

© Copyright IBM Corp. 2023 1-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

AIOps event grouping example: scope-based groups

These events all have the same value in their Service attribute. Any
attribute of an event can be used.

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-12. AIOps event grouping example: scope-based groups

You can group events based on known relationships. Based on the information you know about
your IT environment, you can automatically group events relating to an incident if they have the
same scope and occur during the same period of time.
The scope can be any attribute of an event. For example, all events that have the same value in
their Service attribute can be automatically grouped together if they occur within five minutes of
each other. Another example could be location: events from the same geographical location that
occur within a 90-second window could also be reduced to a single event.
These scope-based groups are easy to configure and manage. Scope-based groups are an easy
way to reduce the number of overall events.

© Copyright IBM Corp. 2023 1-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

AIOps intelligent event management: seasonality

• Identify events that recur with predictable regularity
• Identify chronic issues
• Provide valuable insights into incident
• Helps to prioritize maintenance tasks

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-13. AIOps intelligent event management: seasonality

The purpose of event seasonality is to automatically identify events that occur in a non-random
pattern and show those events to your IT personnel. For example, consider a low disk space event
that occurs every Monday at about 2:00 PM because of a scheduled backup. Instead of wasting
time troubleshooting the low disk space event every Monday afternoon, your team can see that
the event is seasonal, and can choose to suppress it.
IBM Cloud Pak for AIOps Event Manager automatically learns from your event history and
identifies events that occur in a seasonal pattern over time. By finding seasonal events, it is
possible to reduce the number of events that occur at non-random times, which can be done by
adjusting the IT process to compensate for known peaks, by filtering the events, or by
suppressing the events completely. Event Manager’s seasonality analysis can also help determine
where and when anomalies occur that were not previously known.
Your operators see easy to understand infographics that show when the event usually occurs and
when its has occurred in the past.

© Copyright IBM Corp. 2023 1-16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

AIOps intelligent event management: runbooks

• Create runbooks to automate recurring remediations
• Each runbook can be set to desired level of automation: manual (human follows
instructions), semi-automated (human approves automated execution), or fully
automated (runs without human intervention)
• Map runbooks to events to give your operators the fix directly from the event

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-14. AIOps intelligent event management: runbooks

IBM Cloud Pak for AIOps Event Manager includes a runbook automation service. This easy-to-use
service helps IT operations management teams to simplify and automate complex
troubleshooting and remedial actions.
Runbook automation provides the following capabilities for creating, managing, and executing
guided tasks and automated activity:
• Event-triggered automated guidance and actions
• Flexible interoperability with management and collaboration tools, both cloud-based and
on-premises
• Runbook execution tracking statistics
Runbooks are guided steps that your IT operations team uses to troubleshoot and resolve
problems. Some organizations might call these standard operating procedures, or playbooks.
When an incident occurs, IBM Cloud Pak for AIOps matches an appropriate runbook to the
problem.
The runbook can be set to run automatically when it is matched to an incident, or it can run with
user approval and participation:
• Manual runbooks: A step-by-step description of the exact procedure an operator should
follow.
• Semi automated runbooks: Each step describes exactly what an operator should to do, and
the operator simply pushes a button to execute an automated task on a target system.
• Fully automated runbooks: The runbook is selected by the system as response to a trigger and
executed without operator attention. The results of the runbook are stored for technical
review.

© Copyright IBM Corp. 2023 1-17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

AIOps intelligent event management: event enrichment

Event enrichment is the ability to populate an event record with external
data
• The event records in AIOps come with a standard format
• Clients have the option of extending this format to add additional data
• Examples include:
ƒ Technical information such as location, circuit ID, trouble ticket number, or service
ƒ Business information such as point of contact, hours of operation, account number, or
service level agreement

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-15. AIOps intelligent event management: event enrichment

Event enrichment is the process of adding contextual data to incoming events.

For example, imagine an event regarding a failed ping test. The output of the ping test contains
only limited information: the target, the number of failed ping echoes, and the time-to-live. To
make this limited information useful for your operators, you can enrich the ping event with
additional data. You might add details about the target such as:
• Location
• Assigned interface
• Purpose (for example: server, application firewall, or switch)
IBM Cloud Pak for AIOps Event Manager provides several integration points where you can enrich
your events with additional technical and business details. The enrichment techniques you learn
about in this course are:
• Enrichment using a probe
• Enrichment using Impact
• Enrichment using triggers

© Copyright IBM Corp. 2023 1-18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: ObjectServer

An ObjectServer is the central database where Event Manager stores events:
• Memory resident
• Optimized for high speed
• Flexible and extensible
• Accept inserts from probes and other incoming data sources
• Deduplicate by matching Identifier field
• Run automations (triggers) for these items:
ƒ Housekeeping
ƒ Correlation
ƒ Database functions, external actions
• The alerts.status table stores event records

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-16. Event Manager terminology: ObjectServer

An ObjectServer is the central database where Event Manager stores events.

The ObjectServer is typically referred to as a memory resident database. In reality, it is a
collection of multiple databases. The ObjectServer initially starts with a set of required databases.
A user with the appropriate authority can add a database to the ObjectServer. Users can also add
their own databases, database tables, and columns in a database table.
A user typically never directly accesses most of the databases, and tables that are defined in the
ObjectServer. For example, several tables are for storing user ID information. The user does not
need to know the structure of these tables.
One important table is named alerts.status, which is used to store normalized event records. The
alerts.status table defines the structure of the event records.
One of the key features of the ObjectServer is data deduplication. This feature provides for
significant event volume reduction by storing a single copy of an event regardless of how many
times it repeats.

Important

The ObjectServer is case-sensitive. All of the default databases are defined with names that
contain all lowercase letters. Any use of the actual database name, in an SQL statement, for
example, must reference the name in lowercase.

Because the ObjectServer runs entirely in memory, it is extremely fast. The ObjectServer creates
check-points on disk for recovery of a system failure.

© Copyright IBM Corp. 2023 1-19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: probes

Probes are software event collectors.
Object
Major types include: Server
• API, such as HP NNM, BMC Patrol
Probe 3. Forwards to ObjectServer
• Log file, such as syslog • Event data in a common format
API • Delivered as SQL insert through TCP
• Device-specific, such as Nortel • Automatic failover or store-and-
forward
Rules
• Database, such as Oracle Engine 2. Processes events
• Process tokens according to rules file
• Miscellaneous, such as heartbeat Parsing • Perform additional functions
Engine (extract, concatenate, math, lookup)

1. Connects to event source

• Converts incoming event into tokens

Your IT resources
(including servers, mainframes, Windows systems,
applications, circuit switches, voice switches, IP
routers, SNMP devices, hypervisors, SDN, network
management applications and frameworks, among
many others.)

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-17. Event Manager terminology: probes

A probe is lightweight, small-footprint software that obtains event data, converts it to a common
event format, and passes it to the ObjectServer. Each probe collects data from a specific source:
database table, log file, application, and others. The role of a probe is to extract data from the
source and normalize the data into the format of the alerts.status table within the ObjectServer.
Probes are separate from the ObjectServer. As requirements change, probes can be added or
removed without changing the ObjectServer or interrupting service.
Some probes are generic, for example, SNMP, and Syslog. Other probes are specific to
applications or devices.
Probes are light-weight, fast, and resilient. If a probe loses contact with the ObjectServer, it can
store events until the ObjectServer becomes available. If a pair of ObjectServers exists, a probe
can be configured to fail over, sending events to the alternative ObjectServer. Because the data is
passed to the Event Manager central store (ObjectServer) through a TCP/IP connection, delivery is
ensured.

© Copyright IBM Corp. 2023 1-20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Types of probes

Alcatel-Lucent 1300 XMC Apache Pulsar FIFO IBM Event Streams for IBM Cloud

Alcatel-Lucent 5529 OAD V6 Avaya Definity G3 Genband IEMS IBM SevOne Network Performance
Management (NPM)
Alcatel-Lucent 5620 Logfile BMC Patrol Generic 3GPP
IBM Tivoli Common Event Infrastructure
Alcatel-Lucent 5620 SAM 3GGP v8 BMC Patrol V9 Generic Log File Java (CEI)

Alcatel-Lucent 5620 SAM v13 JMS CA Spectrum V9 CORBA Generic Multi-Technology Operations IBM Tivoli EIF
Systems Interface (MTOSI)
Alcatel-Lucent 5ESS CA Spectrum V9.4 (CORBA) IBM Turbonomic
Generic TMF814
Alcatel-Lucent 9353 WNMS Ciena Blue Planet MCP IBM WebSphere MQ
Glenayre VMS
Alcatel-Lucent DSC DEX Cisco APIC iDirect Pulse
Heartbeat
Alcatel-Lucent ECP Cisco Evolved Programmable Network IEC CIM Advanced Metering Infrastructure
Manager HP Network Node Manager-i
Alcatel-Lucent ITM-NM/OMS Itron OpenWay Collection Engine (OWCE)
Cisco Transport Manager 9.0 (CORBA) HP Operations Manager EMS
Alcatel-Lucent ITM-SC
Comverse TRILOGUE INfinity HPE Operations Manager i JDBC
Alcatel-Lucent OMC-R
Dantel PointMaster HTTP Server Error Log Juniper Contrail
Alcatel-Lucent OS-OS
ECI Network Manager Huawei M2000 MML Juniper Contrail Alerts
Alcatel-Lucent Wavestar SNMS (CORBA)
Email Huawei U2000 3GPP (CORBA) Kafka
Amazon Web Services
Exec Huawei U2000
And many more!
Overview © Copyright IBM Corporation 2022, 2023

Figure 1-18. Types of probes

This slide is a partial list of IBM Cloud Pak for AIOps probes. There are over 100 probes for
different technologies and data types.
The library of probes changes continuously. New or updated probes are typically released on a
quarterly basis.

© Copyright IBM Corp. 2023 1-21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: webhooks

{
"resource": { JSON formatted HTTP
"type": "service", request (POST)
"name": "TPA-cassandra",
"cluster": "TPA-datalayer-d",
"displayName": "Cassandra DB",
"location": "wdc",
"application": "cassandra",
"hostname": "TPA-datalayer-d.ibmserviceengage.com"
},
"summary": "Cassandra response time is above 2000ms", Webhook Object
"severity": "Minor",
"sender": { API Server
"type": "synthetics",
"name": "db-synthetic-mon"
},
"type": {
"statusOrThreshold": "> 2000ms",
"eventType": "Response time > 2000ms"
},
"resolution": false
}

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-19. Event Manager terminology: webhooks

You can use a webhook to insert event information into IBM Cloud Pak for AIOps Event Manager
from any event source that can send the information in JSON format.
Inbound webhooks provide an API endpoint so that other systems can send event data to Event
Manager with an HTTP request. Most types of webhooks use a predefined mapping to translate
the content of the source system’s HTTP request into the normalized event fields in the Event
Manager ObjectServer.

© Copyright IBM Corp. 2023 1-22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: gateways

Gateways read data from an ObjectServer

Gateways write data to a destination component
Gateway process map

Object reader route writer Destination

Server

ƒ ObjectServer gateway: Exchange data between ObjectServers

ƒ Message bus gateway: Write event records to a message bus, such as Kafka
ƒ Database gateway : Archive event data (DB2, Oracle, Sybase)
ƒ Trouble Ticket gateway : Automatically generate ticket
ƒ SNMP gateway : Event data forwarded as SNMP trap
ƒ Flat File gateway : Write event to user-specified file format (CSV)

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-20. Event Manager terminology: gateways

Gateways provide a mechanism to extract event data from an ObjectServer and send it to a
different destination.
There are two types of ObjectServer gateways: uni-directional and bidirectional.
• Uni-directional gateways are used in hierarchical architectures, and to forward specific
events to other ObjectServers.
• Bidirectional gateways are used primarily to synchronize data in two ObjectServers operating
as a resilient pair (failover).
Other gateways include:
• Message bus gateways send event records from the ObjectServer to a message bus, such as
Kafka, HTTP/HTTPS, Java Message Service (JMS), and more.
• Database gateways allow ObjectServer events to be written to a database. When events are
deleted from the ObjectServer, they are no longer available to be viewed by Event Manager
users. The database gateway provides a mechanism for historical tracking of events.
• Trouble Ticketing gateways interface with ticketing systems (TSRM, Remedy, Clarify, and
others) and raise tickets based on specified event criteria. During the life of the event and
trouble ticket, the gateway can continue to update severities, journals, and other data.
• SNMP gateways allow ObjectServer event data to be forwarded as SNMP traps.
Flat File gateways write event data to a file in a user-specified format.

© Copyright IBM Corp. 2023 1-23

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: WebGUI

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-21. Event Manager terminology: WebGUI

Event Manager provides several user interfaces for displaying events, topology, runbooks, and
other data. One of these user interfaces in called WebGUI.
The Event Manager WebGUI is accessed through a browser. Users access the WebGUI to see
events, topology maps, runbooks, dashboards, and more. Administrators also use the WebGUI to
configure and customize some features of Event Manager.
The WebGUI interface is highly-customizable, and has been included with Event Manager for
several years.

© Copyright IBM Corp. 2023 1-24

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: AIOps user interface

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-22. Event Manager terminology: AIOps user interface

Another way for users to works with events is the AIOps user interface. This modern interface
helps your users focus on the results of event analytics. Like the WebGUI, the AIOps user
interface is web-based and can also be used to configure and customize Event Manager.

© Copyright IBM Corp. 2023 1-25

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Event Manager terminology: Impact

10:35

144.124.108.101 E-Com-1 Inc San Jose HQ Mike Smith 410-555-1212

Events Impact

Event after enrichment by Impact

144.124.108.101 Error 773: Link down E-Com-1 Inc San Jose HQ down Call Mike Smith 410-777-0987 by 10:35
Data source
adapters DB2
Provisioning
database
Object Event
Server Reader Impact Server
Probe ORACLE
SLA
Impact database
Policies

Original event
10:05 E-Com-1 Inc Gold Call customer 9-5 30 minutes
X 144.124.108.101 Error 773 10:05

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-23. Event Manager terminology: Impact

Impact is a component of the IBM Cloud Pak for AIOps. Impact transforms operational IT data
into usable information. Using that information, operators and troubleshooters can manage and
extract value from complex IT environments.
Impact is used to process high-volume event streams and to do the following tasks:
• Gather additional information about an event or series of events (aggregation)
• Alert staff about high-priority conditions (escalation)
• Decide which events should be ignored (suppression)
• Set markers in diverse data sources (correlation)
• Take action on IT resources (autocorrection)
A key feature of Impact is its ability to connect to various aspects of customer data. Impact can
query database tables and retrieve selected data for event enrichment. This feature allows
Impact to associate business intelligence to events. Based upon this additional information IT
operators are better able to prioritize their response to service outages based upon the business
impact.
This slide shows an example of how Impact enriches event fields from the ObjectServer to add
extra business information to the event. Subsequently, the resulting event provides the IT
operations staff with live information such as customer name, location, contact details, and
re-prioritizes the event according to the SLA of the particular customer. The following steps
explain the role of Impact:
1. A probe inserts an event into the Event Manager ObjectServer. The event contains only sparse
technical data. In this example, the event comes from a probe, but it could also come from any
other incoming integration, such as a webhook.

© Copyright IBM Corp. 2023 1-26

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
2. The Impact event reader service reads the new event from the ObjectServer and Impact
begins processing the event according to a policy.
3. Impact uses the IP address in the event to look up more information in a DB2 provisioning
database. Impact finds business data in the database, such as customer name, location, and
site contact information.
4. Impact uses the customer name from the preceding step to look up SLA information in an
Oracle database. Impact finds the SLA agreement (Gold), the hours of operation, and the time
frame in which the customer must be contacted in case of a problem.
5. Impact adds the extra business information from the two different databases to the event and
sends the event back to the ObjectServer. Impact can also alter existing attributes of the
event, such as changing the Severity to critical before it sends the event back to the
ObjectServer.
6. From the event list, IT operators see the enriched event. This means they have all the
information they need to react to this event and fulfill the SLA contract in seconds without the
need to switch to any other tool. Without Impact, operators and troubleshooters would
spend valuable time finding this additional information manually, and could risk violating the
terms of the SLA.
Impact is versatile and highly-configurable. In this example Impact looked up data in two
databases, but Impact can connect to many different types of data sources to find data, such as
HTTP endpoints or JMS topics. Impact can also send event records to destinations other than an
ObjectServer, such as email, HTTP API, SNMP trap, Kafka topic, or another database.
Impact includes a web-based administrator interface, which is used to control and configure how
Impact processes data.
You do not use Impact in this course.

© Copyright IBM Corp. 2023 1-27

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
Event Manager terminology: WebSphere administrative
console

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-24. Event Manager terminology: WebSphere administrative console

The Event Manager WebGUI runs on a WebSphere Application Server.

The WebSphere administrative console is a graphical interface that allows you to manage your
applications and perform system administration tasks for your WebSphere Application Server
environment. The administrative console runs in your web browser.
At times, administrators must customize the WebSphere Application Server.
The IBM Cloud Pak for AIOps Event Manager user interfaces use an OpenLDAP user repository for
authentication, which is configured automatically during installation. This LDAP server is
integrated with WebSphere. The main reason an IBM Cloud Pak for AIOps administrator would
need to change the WebSphere configuration is to add users and groups to LDAP.

© Copyright IBM Corp. 2023 1-28

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty
1.2. About your lab environment

About your lab

environment

Figure 1-25. About your lab environment

© Copyright IBM Corp. 2023 1-29

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Your lab topology

Infrastructure host
The IBM Cloud Pak for
DNS server AIOps in your lab is
running in a Red Hat
HAProxy Load OpenShift cluster
Bastion host Balancer OpenShift Cluster

Control plane load control0 Do all of your lab work

oc and kubectl
clients balancer control1 on the bastion host
control2
Application load
Browser (for balancers (http and compute0
OpenShift console, https)
compute1
AIOps console, etc)
compute2
nodePort load
Other client balancer: ports
software (Probes, 30000-32767
Admin tool)
NFS Server
Hostname:
infra.labs.ihost.com Persistent storage

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-26. Your lab topology

This course focuses on IBM Cloud Pak for AIOps Event Manager running on the Red Hat OpenShift
Container Platform.
Your lab environment includes the following systems and servers, which are running in virtual
machines.
• A Red Hat OpenShift v4.8 cluster:
▪ 3 control plane nodes, for cluster control and management: control0, control1, and
control2.
▪ 3 compute nodes, to run the application workloads that make up IBM Cloud Pak for AIOps
Event Manager: compute0, compute1, and compute2.
• An infrastructure virtual machine, which provides DNS services for your cluster. The
infrastructure host also runs an HAProxy load balancer.
• An NFS server, to provide persistent storage for your lab activities.
• A bastion virtual machine, to use for all of your lab work. The bastion virtual machine has client
software installed that you use to access and manage your OpenShift cluster.

Important

Do all of your lab work from the bastion virtual machine. There is no need to connect directly to
any of the other virtual machines in your lab environment.

© Copyright IBM Corp. 2023 1-30

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Unit summary • Describe event management

• Understand the unique benefits of IBM Cloud Pak for AIOps
• Learn about your lab environment

© Copyright IBM Corporation 2023

Figure 1-27. Unit summary

© Copyright IBM Corp. 2023 1-31

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Review questions
1. True or False: AIOps reduces time to react to events and diagnose incidents.
2. What kind of software collects data from your IT resources and sends it to the Event Manager
ObjectServer?
a. Probe
b. Container engine
c. WebGUI
d. Load balancer

3. Which lab server do you access to perform all of your lab exercises?
a. bastion
b. control0
c. The infrastructure host
d. compute0

Overview © Copyright IBM Corporation 2023

Figure 1-28. Review questions

Write your answers here:

1.
2.
3.

© Copyright IBM Corp. 2023 1-32

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Review answers
1. True or False: AIOps reduces time to react to events and diagnose incidents.
The answer is True.

2. What kind of software collects data from your IT resources and sends it to the Event Manager
ObjectServer?
a. Probe
b. Container engine
c. WebGUI
d. Load balancer
The answer is A.

3. Which lab server do you access to perform all of your lab exercises?
a. bastion
b. control0
c. The infrastructure host
d. Compute0
The answer is A.

Overview © Copyright IBM Corporation 2023

Figure 1-29. Review answers

© Copyright IBM Corp. 2023 1-33

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Exercise: Overview

Figure 1-30. Exercise: Overview

© Copyright IBM Corp. 2023 1-34

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Exercise • Verify that your Red Hat OpenShift cluster is ready

objectives • Verify that the IBM Cloud Pak for AIOps is running correctly
• Log in to the Event Manager user interfaces

© Copyright IBM Corporation 2023

Figure 1-31. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 1-35

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 1. Overview

Uempty

Lab tips
• Passwords are provided in the lab guide. Some passwords are stored in Kubernetes secrets, so
you must retrieve them.
• Many steps require you to be logged in to your Red Hat OpenShift cluster. If you see
unexpected errors when you run a command, make sure you are logged in.
• Some of the commands and code examples you use in this course are lengthy. At times, these
long text examples do not copy and paste accurately from the PDF lab guide to your lab
environment. As a convenience, you can find plain-text versions of these long examples in the
following file on your bastion host:
/home/netcool/ClassFiles/longCodeExamples.txt

Overview © Copyright IBM Corporation 2022, 2023

Figure 1-32. Lab tips

© Copyright IBM Corp. 2023 1-36

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Unit 2. Incoming integrations

Estimated time
00:45

Overview
This unit describes two ways to connect Event Manager to data sources: probes and webhooks.

References
About probes:
https://www.ibm.com/docs/SSSHTQ_8.1.0/pdf/omn_pdf_prgw_master.pdf
https://www.ibm.com/docs/netcoolomnibus/8.1?topic=gateways-setting-up-probes-acquire-ev
ent-data
https://www.ibm.com/docs/noi/1.6.7?topic=sources-connecting-event-cloud-deployment
About webhooks:
https://www.ibm.com/docs/noi/1.6.7?topic=systems-configuring-incoming-integrations

© Copyright IBM Corp. 2023 2-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Unit objectives • Understand how probes collect and process data

• Learn how to connect an on-premises probe to cloud-based Event
Manager
• Describe how to use probes to enrich events
• Learn how to send events using an inbound webhook

© Copyright IBM Corporation 2023

Figure 2-1. Unit objectives

© Copyright IBM Corp. 2023 2-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Topics • Probes
• Webhooks

© Copyright IBM Corporation 2023

Figure 2-2. Topics

© Copyright IBM Corp. 2023 2-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty
2.1. Probes

Probes

Figure 2-3. Probes

© Copyright IBM Corp. 2023 2-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

About probes
Probes:
• Are software data collectors
SNMP Probe
• Are designed to collect data from specific sources (MTTrapd) Object
Server
ƒ Log files
ƒ Database tables SNMP traps Events
ƒ SNMP traps
ƒ Applications
Syslog Probe
ƒ Many others

• Normalize data to common format Syslog Ping Probe

server
• Generate ObjectServer events SNMP enabled
log file
• Are lightweight devices
ICMP echoes
• High performance
• Are resilient
The IBM Cloud Pak for AIOps includes a large library of prebuilt probes.
Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-4. About probes

Probes are light-weight software designed to collect data from a specific source and produce
ObjectServer events.
Typical questions regarding probes:
• What probes are required?
It depends upon event source. For example, devices that generate SNMP traps use the
MTTrapd probe. Devices that generate log messages use the Syslog probe.
• How many probes are required?
It depends upon the event source. For example, one MTTrapd Probe can receive traps from
lots of devices. You require one Syslog Probe for every UNIX log file, because the probe
physically reads one file.
• Where do the probes run?
It depends upon the event source. For example, the MTTrapd probe can run any place where it
can receive SNMP traps. The Syslog probe must run on the server with the UNIX log file.
• What operating system is required by the probe?
It varies by the probe. For example, the MTTrapd probe is supported on AIX, Solaris, HP-UX,
Linux, and Windows. The Syslog probe is not supported on windows because it reads a UNIX
log file.
In this example, there are three probes collecting data and sending events to the ObjectServer:
• The MTTrapd probe listens for incoming SNMP traps sent by SNMP-enabled devices. The
probe converts the OID in the SNMP traps into events, then sends the events to the
ObjectServer.

© Copyright IBM Corp. 2023 2-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty
• The Syslog probe watches a log file. When an interesting message is written to the log, the
probe converts the fields in the message into an event, then sends the event to the
ObjectServer.
• The Ping probe reads a list of IP addresses or host names, then performs a ping sweep of the
resources in the list. The probe converts failed ICMP ping responses into events, then sends
the events to the ObjectServer.

© Copyright IBM Corp. 2023 2-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Types of probes

Alcatel-Lucent 1300 XMC Apache Pulsar FIFO IBM Event Streams for IBM Cloud

Alcatel-Lucent 5529 OAD V6 Avaya Definity G3 Genband IEMS IBM SevOne Network Performance
Management (NPM)
Alcatel-Lucent 5620 Logfile BMC Patrol Generic 3GPP
IBM Tivoli Common Event Infrastructure
Alcatel-Lucent 5620 SAM 3GGP v8 BMC Patrol V9 Generic Log File Java (CEI)

Alcatel-Lucent 5620 SAM v13 JMS CA Spectrum V9 CORBA Generic Multi-Technology Operations IBM Tivoli EIF
Systems Interface (MTOSI)
Alcatel-Lucent 5ESS CA Spectrum V9.4 (CORBA) IBM Turbonomic
Generic TMF814
Alcatel-Lucent 9353 WNMS Ciena Blue Planet MCP IBM WebSphere MQ
Glenayre VMS
Alcatel-Lucent DSC DEX Cisco APIC iDirect Pulse
Heartbeat
Alcatel-Lucent ECP Cisco Evolved Programmable Network IEC CIM Advanced Metering Infrastructure
Manager HP Network Node Manager-i
Alcatel-Lucent ITM-NM/OMS Itron OpenWay Collection Engine (OWCE)
Cisco Transport Manager 9.0 (CORBA) HP Operations Manager EMS
Alcatel-Lucent ITM-SC
Comverse TRILOGUE INfinity HPE Operations Manager i JDBC
Alcatel-Lucent OMC-R
Dantel PointMaster HTTP Server Error Log Juniper Contrail
Alcatel-Lucent OS-OS
ECI Network Manager Huawei M2000 MML Juniper Contrail Alerts
Alcatel-Lucent Wavestar SNMS (CORBA)
Email Huawei U2000 3GPP (CORBA) Kafka
Amazon Web Services
Exec Huawei U2000
And many more!
Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-5. Types of probes

This slide shows a partial list of IBM Cloud Pak for AIOps probes. There are over 100 different
types of probes to support the diverse technologies found in modern IT environments. New or
updated probes are released on a regular basis.

© Copyright IBM Corp. 2023 2-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Probe operation

START PROBE $OMNIHOME/probes/nco_p_<probename> -server SERVERNAME

A probe is lightweight
Binary starts with <probename>.props properties; reads in
READ .props, .rules, .
<probename>.rules, additional files into memory software to collect and
Verify syntax and logic of the rules file and validate the
preprocess event data.
VALIDATE
SOURCE ObjectServer fields
ObjectServers get
READ EVENT FROM SOURCE Connect to source, such as API, log file, and read an event
most of their input
NORMALIZE & TOKENIZE Break event into its component fields ($fields, or tokens) through probes (and
webhooks).
Interpret tokens through rules file. One pass through the
PROCESS VIA .rules
rules for each event, with $tokens assigned to @fields

BUILD INSERT COMMAND @fields are collected into an SQL Insert command

SEND TO OBJECTSERVER Command is forwarded to the ObjectServer. Buffers are

flushed in anticipation of the next event

2-7
Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-6. Probe operation

A probe is a light-weight, small-footprint software that obtains event data, converts it to a

common event format (CEF) and passes it to the ObjectServer.
Probes are separate from the ObjectServer. As requirements change, probes can be added or
removed without changing the ObjectServer or interrupting service. Currently probes are available
for over 100 types of element managers, devices, and systems. Some probes are generic (SNMP
MTTrapd, Syslog) while others are specific to applications or devices.
Probes use a reliable TCP connection to the ObjectServer to ensure completeness and accuracy of
data. If a probe loses contact with the ObjectServer it can store events until the ObjectServer
becomes available. When there are two ObjectServers, a probe can be configured to fail over,
sending events to the second ObjectServer.
Probe operation can be split into five stages:

Table 1. Five stages of probe operation

Stage Description
Initialize The probe connects to the ObjectServer, identifying the format of the
alerts.status table. The props and rules files are read into memory and
parsed, and the probe is ready to retrieve events.
Event Retrieve The probe retrieves an event from the source, for example from an API,
SNMP trap, reading a log file, or other.
Tokenize The probe tokenizes the event stream to create tokens ($fields) which are
used in the rules file.

© Copyright IBM Corp. 2023 2-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty
Table 1. Five stages of probe operation
Stage Description
Process The tokenized event stream is parsed through the rules file and
ObjectServer alerts.status fields (@ fields) are set.
Forward The composed event is forwarded to the ObjectServer. If problems occur in
forwarding, the probe might fail over or store and forward.

After forwarding, the probe clears variables, retrieves a new event, and repeats the cycle as
necessary.

© Copyright IBM Corp. 2023 2-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Probe Basics
A probe consists of a binary, a .rules and a .props file:
• Binaries retrieve and tokenize event streams($OMNIHOME/probes/nco_p_<probename>)
• Properties run time settings of probe ($OMNIHOME/probes/<arch>/<probename>.props)
• Rules instructions for processing event ($OMNIHOME/probes/<arch>/<probename>.rules)

Probes can have additional files in $OMNIHOME/probes/<arch>/

If the probe is on a separate machine from the ObjectServer

• Install common components, process control
• Install the probe itself
• Identify the ObjectServers in the interfaces file
OBJ_SERV hostname 4100
• Edit the properties and rules files of the probe
• Run the probe
$OMNIHOME/probes/nco_p_probename

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-7. Probe Basics

All probes have at least three files: a binary executable (nco_p_probename), an interpreted rules
file (probename.rules) and a properties (probename.props) file.
The properties file sets run time parameters and determines the behavior of a probe. This
includes, among other parameters, where to record a log file, and how verbose the log file
messages should be.
The binary collects the event stream and splits it into individual tokens. The binary interprets and
applies the rules file and forwards the processed event to the Object Server.
The primary purpose of the rules file is to assign tokens to Object Server fields. The rules file can
also manipulate data, perform calculations, and derive additional data and add it to the event. The
rules file can derive additional data using lookup tables and other methods.
When installing probes on a remote machine, you must install the probes and common files on
that machine. These common files are installed when you install the probe.
Probes require access to the interfaces file to determine how to communicate with the
ObjectServer. Use the nco_xigen or nco_igen utility to define the Object Server in the interfaces
file.
Modify the properties and rules file as necessary and start the probe using the following
command:
$OMNIHOME/probes/nco_p_probename

© Copyright IBM Corp. 2023 2-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty
The following example shows the $OMNIHOME/probes/<arch>/ directory of a machine that is
running the Simnet and Syslog probes.
$ pwd
/opt/IBM/tivoli/netcool/omnibus/probes/linux2x86

$ ls -l
total 232
netcool ncoadmin 144 default
netcool ncoadmin 27100 nco_p_simnet
netcool ncoadmin 18772 nco_p_syntax
netcool ncoadmin 137970 nco_p_syslog
netcool ncoadmin 1220 simnet.def
netcool ncoadmin 4007 simnet.props
netcool ncoadmin 1496 simnet.rules
netcool ncoadmin 2234 syntax.props
netcool ncoadmin 528 syntax.rules
netcool ncoadmin 2451 syslog.props
netcool ncoadmin 23337 syslog.rules

© Copyright IBM Corp. 2023 2-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Rules file
• Contains program steps, which are run for each event to
manipulate incoming data and assign it to alerts.status fields
• Found in $OMNIHOME/probes/<arch>/<probename>.rules
• Inbound tokens start with dollar sign ($); ObjectServer fields start with @
• Major function of rules file is to define Identifier field
• Field values of alerts.status might be set by the rules file
• Additional information can be added through the rules file
• Probe can have multiple associated rules files (include files)

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-8. Rules file

Not all data contained in an event is relevant to the processing of that event. The rules file defines
how the probe rationalizes or adds to the contents of an incoming event to create a meaningful
alert.
An important function of the rules file is to define the Identifier field used for de-duplication. If the
Identifier is made too specific, for example by incorporating the time of the event, little
de-duplication takes place. However, if the identifier is not specific enough, for example by
omitting a card, port or slot number, wrong events are de-duplicated.
All field values of the alerts.status table are normally propagated by the rules file using the
information from the incoming event. It is also possible to add extra information to the event in
the rules file, such as customer, department, and application data.
Rules files can selectively update fields in alerts.status, overriding ObjectServer de-duplication
settings.
The probe rules file is where the incoming token stream is parsed and assigned to ObjectServer
fields.
It is a best practice to implement as much functionality as possible at the probe rules file level,
before events are sent to the ObjectServer. This means the ObjectServer has less work to do when
the event arrives. For example, dropping events that can be discarded is best done at the probe
rules file level.

© Copyright IBM Corp. 2023 2-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Rules file example

$OMNIHOME/probes/<arch>/simnet.rules

@Node=$Node
@Summary=$Summary
switch($Severity) {
case Critical:
@Severity=5
case Major:
@Severity=4
default:
@Severity=2
}
if (regmatch(@Summary,interface.*down)) {
@AlertKey=extract(@Summary,interface (.*) is)
}
@Identifier = @Node + @AlertKey + @Summary

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-9. Rules file example

A simple rules example:

• Set Node and Summary field values using a direct assignment.
• Set the Severity field based on the value in the $Severity token. Note, the value in
$Severity is a ext value while @Severity must be an integer.
• Extract the interface value from the Summary field and set the AlertKey field.
• Set the Identifier to ensure that this event is unique.

Note

The example on the slide is not a complete rules file.

© Copyright IBM Corp. 2023 2-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Tokens and fields

• Probes split the event stream into tokens
• All tokens are created as strings
• Tokens in the rules file are denoted with a $ prefix
• Example: $Node is a token holding the Node name
• Tokens can be created immediately: $MyElement=somevalue
• Fields in alerts.status are denoted with an @ prefix
• To populate fields, you can assign values in these ways:
ƒ Direct assignment: @Node = $Node
ƒ Concatenation: @Summary = $Summary + $group
ƒ Concatenation with literals:
@Summary = $Node + has problem + $Summary

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-10. Tokens and fields

When a probe receives an event stream from the source, it splits the stream into tokens. The set
of tokens is not fixed and might change depending on event data received. The tokens are
identified in the rules file by $, for example $Node is a token holding the node name.
In the probe rules file, an ObjectServer field value is denoted with a @. For example, @Node
references the value of the Node field. It is the @fieldnames in the alerts.status table of the
ObjectServer which make up an event and are shown in event lists. To populate the @fieldnames,
tokens need to be assigned to them, for example:
• Direct Assignment: @Node=$Node
• Concatenation: @Summary=$Summary + $Group
• Adding text: @Summary=$Node + “ has problem “ + $Summary

© Copyright IBM Corp. 2023 2-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Testing and logic in rules files

Tests for string values:

match(@Node,router1) Exact match

nmatch(@Node,router) Begins with
regmatch(@Node,^router[0-9]) Full regex matching

if statement incorporates conditional logic:

if ( <test1> )
{ <action> }
else if ( <test2> )
{ <action> }
else
{ <action> }

Example: set Class field based on the value of $EquipType

if (match($EquipType,Router)) {
@Class = 3303
}
else if (nmatch($EquipType,Switch)) {
@Class = 3301
}
else if (regmatch($EquipType,^[Hh]ub.*)){
@Class = 3302
}
Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-11. Testing and logic in rules files

String values can be tested with the following functions:

• Exact match: $Node = “router1”.
match($Node,"router1")
• Begins with: $Node must begin with “router” but can have other text following.
nmatch($Node,"router")
• Regex match: Allows full regular expressions. $Node must begin with “router” followed by a
digit.
regmatch($Node,"^router[0-9]")
These functions can be used in if, else if, else statements.
The if statement provides conditional testing for processing elements in rules files.
In the example in the slide, a <condition> is a combination of expressions and operations that
resolve to either TRUE or FALSE. If the <condition> evaluates to TRUE, the <action> statements
between the curly braces are run.
All comparisons can be used in the if statement. The if statement is typically used to
conditionally set @Field values depending on the event received.
The example shown uses the $EquipType token to set the Class value. Events with equipment
type Router have their Class set to 3303. Events with equipment type beginning with Switch have
Class set to 3301. Events with equipment type beginning with upper or lowercase H, hub have
their Class value set to 3302.
When using an @Fieldname in an if statement, make sure that its value is already set in an
assignment statement.

© Copyright IBM Corp. 2023 2-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Lookup tables
• Technique for performing event enrichment
ƒ Adding data to the event record that does not appear in the probe source
• Data is formatted in a text file
ƒ Tab delimited
• File contains multiple columns
ƒ Key
ƒ Data item 1
ƒ Data item 2
ƒ Data item N
• Suitable for static data
ƒ Building names
ƒ Addresses

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-12. Lookup tables

Lookup tables provide a method of making extra information available to a probe, and inclusion in
an event.
Lookup files are useful at the probe level for basic event enrichment so long as the data set is
fairly static. If the data in the lookup table is dynamic, it is better to store it in a database table (for
example, the ObjectServer or other external database) and then perform event enrichment with
an ObjectServer trigger or with Impact.
A lookup table can be defined two ways. One way is a reference to an external file containing the
table. The second way is by placing the table in the rules file itself.
For an external file table, you specify a pointer to the file table as follows:
table TabNam="/opt/netcool/omnibus/probes/<arch>/file"
This reference must be at the top of the rules file, as the first uncommented line above the
ProbeWatch section.
The file must have the following format:
key[TAB]value
key[TAB]value
For a lookup table embedded in the rules file, the definition takes the format:
table TabNam={{"key","value"},{"key","value"}…}
In the rules file, the lookup() function looks the same for both table types. It uses two
arguments: a value to look up and the name of the table to read from:
@result=lookup(@Key,TabNam)

© Copyright IBM Corp. 2023 2-16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Lookup table example

Rules file excerpt

...output omitted...
table labtable = "/opt/IBM/tivoli/netcool/omnibus/probes/linux2x86/labExample.lookup"
default = {"UNKNOWN","UNKNOWN"}
...output omitted...
[ @Location,@Customer ] = lookup(@Node, labtable)
update(@Location)
update(@Customer)
}

labExample.lookup
interfaceEth0_1 LONDON Bureau of Machine Analytics
interfaceEth0_2 BRUSSELS Department of Computer Algorithms
interfaceFe2_1 SYDNEY Department of Computer Algorithms
interfaceEth1_3 ROME Oaca Industries, JP

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-13. Lookup table example

In this example, imagine you work for a communications provider. Part of your business is to
provide managed network services to your customers. Each of your customers has their own
managed network interfaces connected to your equipment, which you are monitoring with Event
Manager. The goal in this example is to enrich incoming events:
• To add the name of the customer each interface is assigned to
• To add the location
This slide shows an excerpt from a rules file and a lookup table.

About the rules file example

There are two lines at the top of the rules file that define the table. The first line defines a lookup
table named labtable. The second line provides the default values of UNKNOWN for the @Location
and @Customer fields if no business data is found in the lookup table for a node.
There are three lines at the bottom of the rules file that use the lookup table named labtable.
These lines use the lookup table to match the value of @Node. If a match is found in the table, the
probe populates the @Location and @Customer fields in an event before it is sent to the Event
Manager ObjectServer.
In this example, the @Node field is populated with interface names, although that assignment is
not shown in the excerpt.

About the example lookup table

The table is in a tab-delimited text file named labExample.lookup. The first column in the file is a
list of node names. In this example, the nodes in the incoming event are interface names. The

© Copyright IBM Corp. 2023 2-17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty
other two columns list the location and customer for each interface. There is nothing special
about the lookup table file, except that it:
• Must be delimited with tabs.
• Must store the table key in the first column.
• Must be saved in a location and with permissions so that the probe can read it.

© Copyright IBM Corp. 2023 2-18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Netcool Knowledge Library (NcKL)

• The default rules file necessary for the execution of a probe only performs generic grouping of
data.
• Using an enhanced rules file to cater to events from a specific device provides sharpened
event enrichment and causal analysis.
• The library is a collection of rules files written to a common standard, and provides
unprecedented levels of event correlation and causal analysis.

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-14. Netcool Knowledge Library (NcKL)

he Netcool Knowledge Library (NcKL) is a collection of rules files. It is distributed with Event
Manager as a separate download.
This library of rules files:
• Uses the include technique to incorporate multiple individual files
▪ One “leader” rules file contains multiple include statements
• Predefined rules files for multiple vendors and technologies
▪ Packaged as individual files (over 2000 in current version)
▪ Easy to configure to add or remove
• Rules provided for MTTrapd and Syslog probes
To install the Netcool Knowledge Library:
• Unpack rules files into target directory - $NC_RULES_HOME
• Run supplied SQL file to add ObjectServer customizations
• Configure probe to use the NcKL “leader” rules file
$NC_RULES_HOME/syslog.rules – Syslog Probe
$NC_RULES_HOME/snmptrap.rules – MTTrapd Probe

© Copyright IBM Corp. 2023 2-19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty
2.2. Webhooks

Webhooks

Figure 2-15. Webhooks

© Copyright IBM Corp. 2023 2-20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

About inbound webhooks

• A webhook is a mechanism that allows you to send events to the IBM Cloud Pak for AIOps
using a REST-like API.
• You use webhooks to send events from other software systems to the IBM Cloud Pak for
AIOps.
• The payload of the incoming events must be formatted in JSON.

Object
Events Server

JSON formatted HTTP

request (POST)

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-16. About inbound webhooks

Probes are not the only way to send events to the IBM Cloud Pak for AIOps. You can use a
webhook to send events to an API, which then normalizes the incoming data into an event record.
Data sent to a webhook must be in a JSON-formatted HTTP request.

© Copyright IBM Corp. 2023 2-21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Incoming integrations

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-17. Incoming integrations

Several applications and platforms can send event data to a webhook API. The IBM Cloud Pak for
AIOps has predefined webhook integrations that already know how to map incoming HTTP
request fields into ObjectServer fields. There are many predefined webhook integrations to ingest
data from diverse sources, such as Amazon’s Simple Notification Service (SNS), Microsoft Azure,
Jenkins, and many more.
This slide shows the Incoming integrations page where you can configure connections to other
systems. Not all of the integrations shown on this slide use webhooks to accept data, but most of
them do.

© Copyright IBM Corp. 2023 2-22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Custom inbound webhooks

{ JSON formatted HTTP
"resource": {
"type": "service", request (POST)
"name": "TPA-cassandra",
"cluster": "TPA-datalayer-d",
"displayName": "Cassandra DB",
"location": "wdc",
"application": "cassandra",
"hostname": "TPA-datalayer-d.ibmserviceengage.com"
},
"summary": "Cassandra response time is above 2000ms",
"severity": "Minor",
"sender": {
"type": "synthetics",
"name": "db-synthetic-mon"
},
"type": {
"statusOrThreshold": "> 2000ms",
"eventType": "Response time > 2000ms"
},
"resolution": false
}

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-18. Custom inbound webhooks

Even if there is no predefined integration for a data source in your environment, you can send data
to an Event Manager webhook. You can create a custom webhook to map the fields within any
incoming JSON HTTP request to an event record.
In this example, a custom webhook extracts text from an incoming HTTP request and uses the
text to populate an event record:
• The resource.hostname field in the incoming HTTP request is mapped to the Node field of the
ObjectServer.
• The resource.location field in the incoming HTTP request is mapped to the Location field of
the ObjectServer.
• The summary and resource.cluster fields in the incoming HTTP request are combined with
some static text, and mapped to the Summary field of the ObjectServer.
• The severity field in the incoming HTTP request is mapped to the Severity field of the
ObjectServer.
IBM Cloud Pak for Waston AIOps Event Manager provides an easy to use tool to create custom
inbound webhooks.

© Copyright IBM Corp. 2023 2-23

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Unit summary • Understand how probes collect and process data

• Learn how to connect an on-premises probe to cloud-based Event
Manager
• Describe how to use probes to enrich events
• Learn how to send events using an inbound webhook

© Copyright IBM Corporation 2023

Figure 2-19. Unit summary

© Copyright IBM Corp. 2023 2-24

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Review questions
1. True or False: Probes are the only way to send events to the IBM Cloud Pak for AIOps.
2. What is a probe rules file?
a. A configuration file that controls how a probe creates an event from incoming data.
b. A configuration file that controls how a probe handles failover and recovery.
c. A checkpoint file that saves the current state of the probe to disk.
d. A checkpoint file that saves all outbound events to disk.

Incoming integrations © Copyright IBM Corporation 2023

Figure 2-20. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 2-25

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Review answers
1. True or False: Probes are the only way to send events to the IBM Cloud Pak for Watson AIOps.
The answer is False.
2. What is a probe rules file?
a. A configuration file that controls how a probe creates an event from incoming data.
b. A configuration file that controls how a probe handles failover and recovery.
c. A checkpoint file that saves the current state of the probe to disk.
d. A checkpoint file that saves all outbound events to disk.
The answer is A.

Incoming integrations © Copyright IBM Corporation 2023

Figure 2-21. Review answers

© Copyright IBM Corp. 2023 2-26

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Exercise: Incoming integrations

Figure 2-22. Exercise: Incoming integrations

© Copyright IBM Corp. 2023 2-27

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Exercise • Connect an on-premises probe to Event Manager running in

objectives Red Hat OpenShift
• Enrich events with business information with a probe
• Create a custom webhook for incoming events

© Copyright IBM Corporation 2023

Figure 2-23. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 2-28

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 2. Incoming integrations

Uempty

Lab tips
• You edit several text files in these labs. Take your time and make sure your changes are
accurate before you save and close each file.
• Don't forget to copy your webhook URL. After you save your webhook, you will not be able to
see the URL again.

Incoming integrations © Copyright IBM Corporation 2022, 2023

Figure 2-24. Lab tips

© Copyright IBM Corp. 2023 2-29

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Unit 3. Temporal and seasonal event

analytics
Estimated time
00:45

Overview
This unit shows you how to configure and use the event analytics features included with Event
Manager to reduce the number of actionable events.

© Copyright IBM Corp. 2023 3-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Unit objectives • Understand temporal relationships among events

• Understand event seasonality
• Learn how to configure and train temporal and seasonal event
analytics

© Copyright IBM Corporation 2023

Figure 3-1. Unit objectives

© Copyright IBM Corp. 2023 3-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Advanced event analytics: temporal grouping

• Temporal grouping analytics identifies related

events based on their historic co-occurrences
• Subsequent events, which match the
temporal profile, are correlated together to
reduce the number of overall events
• NO configuration required: just turn it on and
watch it work
• Continuously learns

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-2. Advanced event analytics: temporal grouping

The IBM Cloud Pak for AIOps Event Manager uses advanced analytics to help you manage your
events. One of these analytics features is temporal grouping. Event Manager looks into your event
history to discover sets of events which tend to occur within a short time of each other. These sets
of events are considered to share a temporal relationship. When such events occur again, they are
grouped together to reduce “noise” and the overall number of actionable events.
The temporal grouping analytics algorithm works on unique identifiers for the events. To group,
the set of events needs to be seen at least 3 times, and the events within each set arrive within 20
minutes (default) of each other.
In this example, Event Manager has noticed that over time, six specific events always seem to
arrive together, within 33 seconds of each other. You can see the historical occurrences of these
events in the screen capture at the top of the slide. The next time the set of events arrive, Event
Manager groups them together in the event list, which you can see at the bottom of the slide.
There are six events in this example. Without this grouping, your IT operators might waste time
troubleshooting each of these events individually, and eventually discover that they are related
only after a lengthy investigation.
With Event Manager’s built-in grouping analytics, your IT operators can save time by considering
this group of events as a single issue immediately. Your operators also see less “noise” in the
event list, because these six events were consolidated and reduced to a single parent event.
Event Manager decorates the event list as events arrive to indicate that these events share a
temporal relationship. In the screen capture at the bottom of the slide, the Grouping column
shows a temporal grouping icon. You also see a tool tip if you hover over the icon. If you click the
icon or the Investigate link in the parent event, you see more information about why the events
were grouped together and examples of past occurrences.
By default, no configuration is required to start using the temporal grouping feature.

© Copyright IBM Corp. 2023 3-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty
Event Manager continuously learns from subsequent events which match the profile of a temporal
group. For example, if the set of events arrives again, but this time with a few more or less events
in the set, Event Manager will adjust accordingly.
The result of the temporal grouping algorithms is a grouping policy. Policies are a definition of
which events occurred together in the past and what action to take when they occur again, for
example: group the events together in the event list.
With temporal grouping, you can choose the deployment mode: Deploy first or Review first. In
Deploy first mode, temporal policies are enabled automatically, without the need for manual
review. In Review first mode, temporal policies are not enabled until they are manually reviewed
and approved by an administrator.

© Copyright IBM Corp. 2023 3-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Temporal pattern grouping

If Event Manager sees that these events historically arrive together,

it will group them (temporal grouping)
Node Summary Location
• Enhances temporal tpa01.edu.ibm.com Device failure on RACK01 Tampa
correlation
tpa01.edu.ibm.com Power supply failure on RACK01 Tampa
• Correlates events which look learnserve.edu.ibm.com Application is unresponsive Tampa
like temporal groups we have
previously discovered, with
matching event types but
different resource attributes
When this set of events arrives the first time, Event Manager will
• Increases event reduction by group them together, based on the pattern extracted from the
correlating events which existing group (temporal pattern grouping)
haven’t been seen before
Node Summary Location
tor01.edu.ibm.com Device failure on RACK01 Toronto
tor01.edu.ibm.com Power supply failure on RACK01 Toronto
Learnserve-ca.edu.ibm.com Application is unresponsive Toronto

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-3. Temporal pattern grouping

Another aspect of temporal grouping is pattern matching. Event Manager can identify patterns
within existing temporal groups and apply these patterns to new events that have not been seen
before.
Event Manager identifies recurring problems across multiple temporal groups, extracts the
resource information from those groups, and creates a pattern. This pattern can then be used to
group new instances of the problem events which match the problem signature but occur on new,
previously unseen resources.
In this example, the events at the top of the slide have been seen several times in the past. They
are grouped together by temporal grouping analytics. These events have arrived together in the
past and Event Manager has learned to group them together if they arrive again.
The events at the bottom of the slide are new; Event Manager has never seen them before.
However, with temporal pattern grouping, Event Manager will group them together the first time
they arrive based on the problem signature pattern learned from the events at the top of the slide.

© Copyright IBM Corp. 2023 3-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Temporal grouping policies

• Automatically generated policies
group events that always seem
to arrive together
• You can view past occurrences
of event groups
• Disable and archive unwanted
policies
• Edit temporal pattern policies
• Approve policies that require
review (optional)

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-4. Temporal grouping policies

The result of temporal event analytics is a policy. Policies are created automatically when Event
Manager detects a temporal relationship among events. Policies take action against incoming
events, such as grouping them together.
You view and manage policies with the Event Manager user interface. Tasks you can perform
include:
• You can view the historical occurrences of a group.
• You can disable policies that are no longer valid or that do not produce the groups you want.
• You can edit temporal pattern policies. (Temporal and seasonality policies cannot be edited.)
• If your environment requires you to approve the automatically generated policies before they
are enabled, you can approve them in the user interface.

© Copyright IBM Corp. 2023 3-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Seasonality
• Identify events that recur with predictable regularity
• Identify “invisible” chronic issues
• Helps to prioritize maintenance tasks
• Provides valuable insights into incident

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-5. Seasonality

The purpose of event seasonality is to automatically identify events that occur in a non-random
pattern and show those events to your IT personnel. For example, consider a low disk space event
that occurs every Monday at about 2:00 PM because of a scheduled backup. Instead of wasting
time troubleshooting the low disk space event every Monday afternoon, your team can see that
the event is seasonal, and can choose to suppress it.
IBM Cloud Pak for AIOps Event Manager automatically learns from your event history and
identifies events that occur in a seasonal pattern over time. By finding seasonal events, it is
possible to reduce the number of events that occur at non-random times, which can be done by
adjusting the IT process to compensate for known peaks, by filtering the events, or by
suppressing the events completely. Event Manager’s seasonality analysis can also help determine
where and when anomalies occur that were not previously known.
Your operators see easy to understand info graphics that show when the event usually occurs and
when its has occurred in the past.
Like temporal grouping, the result of seasonal event analytics is a policy.

© Copyright IBM Corp. 2023 3-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Training event analytics

• Event analytics training is scheduled once per day
• Training runs in background
• Event occurrences within the last 3 months are fetched
• The result of training is a policy (or multiple policies)
• You can run event analytics training manually

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-6. Training event analytics

Event Manager periodically runs training jobs for temporal and seasonal analytics. These jobs run
once a day and search the last three months of your event history. If any historical events have a
temporal relationship or are seasonal, Event Manager creates policies to act on future events.
Training occurs periodically on a fixed schedule in the background, with trained models sent to
the policy service in the form of actionable policies.
There are two analytics training jobs: one for temporal grouping and one for seasonal analysis. If
needed, you can force these jobs to run manually.

© Copyright IBM Corp. 2023 3-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Managing event analytics

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-7. Managing event analytics

Use the Event Manager user interface to manage temporal or seasonal event analytics settings.
This slide shows the page in the user interface where you change global event analytics settings.

About enabling and disabling policies

You can globally enable or disable temporal and seasonal event analytics with the user interface.
By default, all event analytics features are enabled. Note the following effects of disabling
temporal or seasonal event analytics:
• Disabling analytics processing does not stop existing polices from running. Existing policies
continue to take action on events, even after the analytic is disabled.
• After you disable temporal or seasonal analytics no new policies are generated.
• Existing policies are no longer updated and recalculated.
• The effect of disabling an analytic is the same as if the training jobs stopped running.

Note

To disable an individual policy, archive it. Archiving a policy stops it from processing future events
that match the temporal or seasonal profile. Use the Policies page in the Event Manager user
interface to archive individual policies.

© Copyright IBM Corp. 2023 3-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty
About temporal grouping configuration
You can configure the following settings for temporal analysis:
• You can enable and disable temporal grouping.
• You can set automatically-generated temporal policies to require approval before they start
taking action, or you can set them to start running immediately.
You can configure the following settings for temporal pattern analysis:
• You can enable and disable temporal pattern grouping.
• You can set automatically-generated temporal policies analysis to require approval before
they start taking action, or you can set them to start running immediately.
• You can choose to exclude any event fields that you do not want to be considered as a
temporal pattern.

© Copyright IBM Corp. 2023 3-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Unit summary • Understand temporal relationships among events

• Understand event seasonality
• Learn how to configure and train temporal and seasonal event
analytics

© Copyright IBM Corporation 2023

Figure 3-8. Unit summary

© Copyright IBM Corp. 2023 3-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Review questions
1. True or False: Seasonal events are events that have been correlated with weather conditions.
2. What is a temporal group?
a. A group of events that always seem to arrive together.
b. A group of events that expire immediately.
c. A group of events that you set to expire together.
d. A group of events that are automatically rejected.

Temporal and seasonal event analytics © Copyright IBM Corporation 2023

Figure 3-9. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 3-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Review answers
1. True or False: Seasonal events are events that have been correlated with weather conditions.
The answer is False.
2. What is a temporal group?
a. A group of events that always seem to arrive together.
b. A group of events that expire immediately.
c. A group of events that you set to expire together.
d. A group of events that are automatically rejected.
The answer is A.

Temporal and seasonal event analytics © Copyright IBM Corporation 2023

Figure 3-10. Review answers

© Copyright IBM Corp. 2023 3-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Exercise: Temporal and seasonal event analytics

Figure 3-11. Exercise: Temporal and seasonal event analytics

© Copyright IBM Corp. 2023 3-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Exercise • Manually run Event Manager event analytics training

objectives • View events that have been grouped together based on a
temporal relationship
• View seasonal events
• Archive unwanted analytics policies

© Copyright IBM Corporation 2023

Figure 3-12. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 3-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 3. Temporal and seasonal event analytics

Uempty

Lab tips
• After you run training manually, don't forget to delete the trainer pod.

Temporal and seasonal event analytics © Copyright IBM Corporation 2022, 2023

Figure 3-13. Lab tips

© Copyright IBM Corp. 2023 3-16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Unit 4. Topology
Estimated time
00:45

Overview
This unit teaches you how to add topology data to Event Manager. You then learn how to group
different segments of a topology together to further reduce events and calculate root cause.

© Copyright IBM Corp. 2023 4-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Unit objectives • Understand where topology data comes from

• Learn how to create topology groups
• Describe topology rules

© Copyright IBM Corporation 2023

Figure 4-1. Unit objectives

© Copyright IBM Corp. 2023 4-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Topology overview
The IBM Cloud Pak for AIOps benefits:
• Up-to-date visibility of your resources and their connectivity
• Historical comparison (what has changed?)
• Reads and loads topology data from complex infrastructures and services
• Groups events that have a topological relationship
• Probable cause

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-2. Topology overview

The topology service within the IBM Cloud Pak for AIOps can discover the resources in your IT
systems and the dependencies among them. The topology information that AIOps discovers is
used to deliver several valuable features, including:
• Dynamic and interactive topology maps that show users how resources are connected and
how they depend on each other. The maps include a “rewind” and a “Delta” mode where you
can compare your current topology with a past state to easily identify what has changed.
• The topology service can read from predefined sources of topology data, such as Amazon Web
Services, Azure, Kubernetes, Cisco, and OpenStack. For custom data sources, you can load
topology data with flat files or through an API. This is important, because modern services and
applications are increasingly deployed in environments that take advantage of distributed and
virtualized infrastructure.
• The IBM Cloud Pak for AIOps can match incoming events to resources in your topology. This
provides several benefits:
▪ Multiple events from a segment of your topology are grouped together, to reduce the
number of overall events.
▪ AIOps calculates the event within the group that is most likely to be the probable cause of
the overall problem.
▪ Users can see up-to-date status of the resources in a topology map. If there is an event
associated with a resource, it will be decorated in the map. Users can also launch a
contextual map from event lists, which shows the topology of the affected resources.

© Copyright IBM Corp. 2023 4-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Topology maps and views

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-3. Topology maps and views

This slide shows an example of a topology map. These maps are interactive and dynamic. Notice
the following features of the map:
1. At the top of the map, you can change the number of hops. This increases the number of
connected resources displayed in the map. There is also a filter button here, where you can
include or exclude resources and relationships in the map.
2. At the right of the map, you can zoom in or out, change the layout, fit to screen and pan. You
can also zoom in and out with the mouse wheel, and pan by dragging the mouse.
3. At the bottom of the map is a timeline. You can move the pin in the time line to rewind the map
to a past state. You can also place two pins at different points in the time line and the map will
show indicators of what has changed during the two points in time.
4. Resources that have events associated with them are decorated in the map.
Not shown on this slide is the share button, where you can export the map as PNG or SVG images,
or as a direct link.
You can also interact with the resources and relationships in the map. For example, you could
right click a line in the map to learn more about a relationship among two resources.
These maps are also highly customizable. Administrators can change many properties of these
maps, for example the icons, the line styles, and the interaction with the map itself.

© Copyright IBM Corp. 2023 4-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Topology grouping

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-4. Topology grouping

The IBM Cloud Pak for AIOps can group resources in a topology together. These resource groups
make it easier to find and visualize collections of related resources in a large topology, and groups
enable event correlation between resources in a group.
In the case of event correlation, events coming from resources of the same group are combined
together visually in event lists to reduce the amount of “noise” events that your end users see.
Grouped events allow your IT staff to focus on the group of events and their probable cause,
rather than trying to troubleshoot each event individually.
In this example, you see a group of six resources in a topology map. Incoming events that match
members of the topology group are correlated together in the event list. The event list makes it
clear that the events have been correlated together because there is a topological relationship
among the resources that emitted the events.
Notice the following details about the events in the list:
• A group of events is represented by a synthetic parent event. Synthetic parent events have the
string GROUP: in their summary field.
• There is an icon present in the Grouping and Topology columns of the test events. This icon
means that the node in the event is a member of a topology group.
• There is a numeric value in the Probable Cause column of the grouped events. The event with
the highest probable cause value is the event which Event Manager considers to be the root
cause of the problem.
• Users see fewer actionable events. In this example, six events have been reduced to a single
parent event.

© Copyright IBM Corp. 2023 4-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Probable cause

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-5. Probable cause

When events are grouped together based on their topology, the IBM Cloud Pak for AIOps
automatically suggests which event is likely the root cause of an overall problem.
AIOps recognizes how the resources in these events are connected to each other and applies
additional analytic processing to find probable cause:
• Classification of the events based off event summary; this is done using natural language
processing (NLP)
• Computation of the paths, dependencies, and scores between events
In this example, the resources are all related to a line card that is inserted into a network switch.
Resources in this group include network interfaces, the slot that the card is using, and the card
itself. Six incoming events have arrived: five events from interfaces and one event from the line
card. AIOps has determined that the root cause of the problem is the line card failure event,
because its failure led to the interface failures.
As a result of topology based event analytics, your operators see:
• These six events grouped into a single event
• A topology map showing how the card, interface, and slot are connected
• The event that is the probable root cause of the overall problem, indicated by the longest bar
in the Probable Cause column.

© Copyright IBM Corp. 2023 4-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Resources and edges

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-6. Resources and edges

A resource is a node in an interconnected topology, sometimes also referred to as a vertex, or

simply a node. It can be anything in a topology that has been designated as a resource, for
example a hardware device, virtual device, location, user, or an application microservice.
An edge is a relationship, or link between resources. Edges have a label, which allocates them to a
family of edges with specific behavior and governs how they are displayed in the UI, and a type,
which defines the relationship in understandable terms.
Edges are always a single, one-way link. Resources that share a two-way relationship are
modeled with two edges: one for each direction.
The resources in this example are servers (apic1, apic3), network switches (201spine,
202spine), and IP addresses. The edges in this example are connectedTo and accessedVia.

© Copyright IBM Corp. 2023 4-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Observers and observer jobs

Observers obtain topology information from a specific source

• ALM • Docker • OpenStack

• Ansible AWX • Dynatrace • Rancher
• AppDynamics • File • REST
• AWS • GoogleCloud • ServiceNow
• Azure • HPNFVD • TADDM
• BigCloudFabric • IBMCloud • Viptela
• BigFixInventory • ITNM • VMVcenter
• CienaBluePlanet • Jenkins • VMWareNSX
• CiscoAci • JuniperCSO • Zabbix
• Contrail (Juniper) • Kubernetes
• DNS • NewRelic
Topology © Copyright IBM Corporation 2022, 2023

Figure 4-7. Observers and observer jobs

An observer is a service that extracts topology information from a data source and inserts it into
the topology service database.
Observer jobs are a definition of the access details for a target data source. For example, you
configure a File observer job with the name of the topology file you want to load. You configure a
Kubernetes observer job with details about the cluster and namespaces you want to discover.
Observer jobs are triggered to retrieve data. Each type of observer can support multiple jobs, for
example you can create two Kubernetes observer jobs to periodically retrieve data from two
different Kubernetes clusters. You can manage observer jobs with the user interface or an API.
Observer jobs can be long-running or transient. For example, a REST observer “load” job is a
one-off, transient job (unless scheduled to run at set intervals), where a REST observer “listen”
job is long-running and runs until explicitly stopped, or until the observer is stopped.
Most Observers are technology or vendor specific, such as the DNS or VMWare observers.
However, the File observer and the REST observer are special because you can use them to obtain
topology data from custom data sources. The File observer and the REST observer are also useful
for testing.

© Copyright IBM Corp. 2023 4-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Important

It is important to note that topology data discovered from different observer jobs is separate. This
means that the resources and relationships that are discovered by one observer job are
considered to be a completely separate topology than the resources and relationships that are
discovered by a second observer job. For example, if you define two Kubernetes observer jobs to
discover two different Kubernetes clusters, the topology of the two clusters will not be linked in
topology maps. If you need to join topologies from two different observer jobs, use a merge rule,
which is described later in this unit.
NOTE: Deleting an observer job does not delete the resources or relationships in the topology
database. Topology data must be deleted through the job itself, manually, or through a scripted
removal process.

© Copyright IBM Corp. 2023 4-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

The File observer

V:{"_operation":"InsertReplace","uniqueId":"router06","matchTokens":["router-06","router06"],"name":"router06","entityTypes":["router"]} Example
V:{"_operation":"InsertReplace","uniqueId":"CPU_01","matchTokens":["CPU_01"],"tags":["TagA","TagB"],"name":"cpu01","entityTypes":["cpu"]} topology file
V:{"_operation":"InsertReplace","uniqueId":"CPU_02","matchTokens":["CPU_02"],"tags":["WAIOpsDemo"],"name":"CPU_02","entityTypes":["cpu"]}
V:{"_operation":"InsertReplace","uniqueId":"WAN_Firewall","matchTokens":["WAN_Firewall"],"tags":["WAIOpsDemo"],"name":"WAN_Firewall","entityTypes":["firewall"]}
V:{"_operation":"InsertReplace","uniqueId":"Server101","matchTokens":["Server101"],"tags":["WAIOpsDemo"],"name":"Server101","entityTypes":["computer"]}
V:{"_operation":"InsertReplace","uniqueId":"Richard","matchTokens":["Richard"],"tags":["WAIOpsDemo"],"name":"Richard","entityTypes":["person"]}
E:{"_toUniqueId":"router06","_edgeType":"connectedTo","_fromUniqueId":"Server101"}
E:{"_toUniqueId":"WAN_Firewall","_edgeType":"uses","_fromUniqueId":"router06"}
E:{"_toUniqueId":"Server101","_edgeType":"uses","_fromUniqueId":"Richard"}
E:{"_toUniqueId":"CPU_01","_edgeType":"contains","_fromUniqueId":"Server101"}
E:{"_toUniqueId":"CPU_02","_edgeType":"contains","_fromUniqueId":"Server101"}

File observer jobs use a topology file. A topology

file contains a JSON element on each line that
describes a resource or relationship: Result
• V: The line creates a vertex (resource)
• E: The line creates a relationship (edge)
• W: The line specifies a wait time
• D: The line deletes a vertex (resource)

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-8. The File observer

The File observer loads topology data from a plain text file. Each line is a JSON element that
describes a resource or a relationship. The values in each line are read by the observer and
converted to properties in the topology database. You must upload topology files to the File
observer container so they can be read by observer jobs. One File observer job can load data from
only one file.
With in a topology file, values in square brackets represent an array of multiple values: for
example, the first line in the slide has two values for matchTokens; the second line has two values
for tags.
The start of each line represents an action:
• V: The line creates a resource.
• E: The line creates a relationship
• W: The line causes the File observer job to wait a specified time before it continues to the next
line.
• D: The line deletes a resource.
In this example, six resources and five relationships have been loaded from the file. The lines that
add resources include properties such as uniqueId, tags, and entityTypes. The lines that add
relationships include properties such as edgeType and the direction of the relationship (to/from).
You can add user-defined properties in the file. For example, you could add the custom property
myBankDept with the line:
V:{"_operation":"InsertReplace","uniqueId":"Server101","matchTokens":["Server101"]
,"name":"Server101","entityTypes":["computer"],"myBankDept":"retail"}

© Copyright IBM Corp. 2023 4-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty
To delete all resources that have been loaded by a File observer job, point the job to an empty file
or create a file to delete specific resources.

© Copyright IBM Corp. 2023 4-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

The REST observer

curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header
'X-TenantID: cfd95b7e-3bc7-4006-a4a8-a73a79c71255' --header 'JobId: jp-listen' -d '{ The REST observer accepts topology data
"name": "IBM", from HTTP requests, which provide the
"uniqueId": "IBM",
"entityTypes": [
Example incoming following actions:
"organization" HTTP request • Manage REST observer jobs
] • Insert-update resources (HTTP POST)
}' 'https://evtmanager-topology.noi.apps.labs.ihost.com/1.0/rest-observer/rest/resources' • Insert-update relationships (HTTP POST)
• Insert-replace resources (HTTP PUT)
curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header
• Delete resources (HTTP DELETE)
'X-TenantID: cfd95b7e-3bc7-4006-a4a8-a73a79c71255' --header 'JobId: jp-listen' -d '{
"name": "Armonk, New York",
"uniqueId": "Armonk, New York",
"attitude": "Fun", Result
"entityTypes": [
"location" Example incoming
],
"_references": [
HTTP request
{
"_fromUniqueId": "IBM",
"_edgeType": "locatedAt"
}
]
}' 'https://evtmanager-topology.noi.apps.labs.ihost.com/1.0/rest-observer/rest/resources'

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-9. The REST observer

The REST observer accepts topology data from HTTP requests. In this example, a REST observer
job named jp-listen has accepted data from two different HTTP requests and modeled a
topology.
The first request creates a resource named IBM. The second request creates a resource named
Armonk, New York and a relationship between them.
These requests were sent to the REST observer resource API, which is at the URL:
https://<your route>/1.0/rest-observer/rest/resources
Although it is not shown on this slide, you can use the REST Observer references API to add
relationships at the following URL:
https://<your route>/1.0/rest-observer/rest/references
There are other REST observer APIs. These APIs are well documented and include a swagger
interface for development and testing. You can access the swagger interface here:
https://<your route>/1.0/rest-observer/swagger
There are two types of REST observer jobs: listen jobs and bulk replace jobs.
To delete all resources that have been loaded by a REST observer job, use the DELETE method in
a series of HTTP requests.

© Copyright IBM Corp. 2023 4-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Resource and edge properties

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-10. Resource and edge properties

Properties are key-value pairs that are associated with a resources or relationships.
The Topology Service has two categories of properties, generic and user defined:
• Generic properties are few in number and constrained to a single data type, such as integer or
string. These properties are indexed by the search service and you can use them to search for
resources in the user interface. Some important generic properties are:
▪ _id: The tenant-unique identifier of a resource, independent of the uniqueId.
▪ uniqueId: The string by which the provider knows the resource, it might be a UUID via
which the provider can look up its own local data store for information about the resource.
The uniqueId only needs to be unique within the context of its provider.
▪ matchTokens are used to store strings which match incoming events to resources.
▪ mergeTokens are used to combine topologies together records together based on merge
rules.
▪ name is the string which will be used in the UI. It does not need to be unique and should
be fairly short and human readable.
▪ tags can be used to store strings which can be searched in the user interface.
▪ entityTypes is the type(s) of object the resource represents, for example server, CPU, or
container. There is a set of predefined entity types with associated icons, or you can add
custom entityTypes.
User-defined properties are free form and are not constrained to any given date type. Observers
are free to add new user properties as they are needed. User-defined properties are not indexed
by the search service. You cannot use these properties to search for resources in the user
interface.

© Copyright IBM Corp. 2023 4-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Topology group templates

• Topology groups are fragments of your overall topology
• Group resources together that have a common purpose or function
• Define topology groups to correlate events
• Three types of templates: Dynamic, tag based, and exact

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-11. Topology group templates

A topology group is a limited collection of resources within your larger overall topology.
Administrators group resources together that have a common purpose or function that they want
to monitor.
For example, imagine AIOps has discovered the topology of a large Kubernetes cluster. You are
responsible for the health of a key application is running in the cluster, and you want to monitor
the microservices that make up that application as a group. You can create a topology group that
includes only the components of the application you are interested in. Events that arrive from the
microservices in your topology group will be correlated in event lists to reduce the number of
overall events.
Topology groups are created by Topology templates. Templates define:
• The members of the group (which resources to include or exclude)
• The visual appearance of the group in a topology map
• Whether or not events from group members are correlated together
There are three types of topology templates:
• A dynamic template automatically creates and updates multiple resource groups based on
your criteria.
• A tag based resource group template defines a single group of resources that share a common
set of tags.
• An exact template defines a single set of specific resources.

© Copyright IBM Corp. 2023 4-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Topology rules

• Merge: merge a common resource from separate topologies to stitch the topologies together
• Match: use a resource property to match incoming events
• Tag: use a resource property to add a tag
• History: exclude unimportant property changes from history retention
• Business criticality: use a resource property to populate the businessCriticality
property

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-12. Topology rules

Rules change the way the topology service processes data. You can define rules with the user
interface or with an API. The following types of rules are available:
• Merge rules merge a common resource from separate topologies to stitch the topologies
together. In a merge rule, you specify which property should be used to correctly identify the
resource that is common to multiple topologies.
• Match rules copy the value of another property to the matchTokens property. The matchTokens
property is used to match incoming events to resources.
• Tags rules copy the value of another property to the tags property so that it becomes
searchable in the user interface.

Hint

Any field that isn't indexed and can therefore not normally be searched for becomes searchable if
copied to the tags property.

• History rules identify properties that change every observation, but that don't indicate an
important change, for example a host's sysUpTime property. A history rule excludes properties
like these from being retained in history.
• Business criticality rules copy a particular property of a resource into the resource's
businessCriticality property, which is then used to define business criticality.

© Copyright IBM Corp. 2023 4-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Topology dashboard

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-13. Topology dashboard

The WebGUI user interface and the AIOps user interface both provide a topology dashboard
where each user can display the groups that are most important to them. To create a dashboard,
users mark topology groups they want to include on the dashboard as favorites.
Notice that there are three distribution charts in the example. This is because three topology
groups were marked as favorites. The size of each chart represents the number of resources in the
group. The colors of each distribution chart represent the severity of events that are currently
active for the resources in each group.
If you click a distribution chart, the bottom of the dashboard displays more information about the
group:
• A topology map of the group
• Historical event status of the group
• Historical changes to members and relationships in the group

© Copyright IBM Corp. 2023 4-16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Unit summary • Understand where topology data comes from

• Learn how to create topology groups
• Describe topology rules

© Copyright IBM Corporation 2023

Figure 4-14. Unit summary

© Copyright IBM Corp. 2023 4-17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Review questions
1. True or False: The IBM Cloud Pak for AIOps models only servers and network devices.
2. What is an edge?
a. A relationship between two resources, such as a network connection.
b. A group of resources manually added to a topology.
c. An endpoint device, such as a workstation or IP phone.
d. A topology template.

Topology © Copyright IBM Corporation 2023

Figure 4-15. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 4-18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Review answers
1. True or False: The IBM Cloud Pak for AIOps models only servers and network devices.
The answer is False.
2. What is an edge?
a. A relationship between two resources, such as a network connection.
b. A group of resources manually added to a topology.
c. An endpoint device, such as a workstation or IP phone.
d. A topology template.
The answer is A.

Topology © Copyright IBM Corporation 2023

Figure 4-16. Review answers

© Copyright IBM Corp. 2023 4-19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Exercise: Topology

Figure 4-17. Exercise: Topology

© Copyright IBM Corp. 2023 4-20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Exercise • Use the file observer to load topology data

objectives • Create three types of group templates: exact, tag based,
and dynamic
• Add a topology right-click tool to launch a topology map
from an event
• Use the topology dashboard
• Create a merge rule to combine topologies from different
observers

© Copyright IBM Corporation 2023

Figure 4-18. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 4-21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 4. Topology

Uempty

Lab tips
Adding the token in the merge rule is a three-step process:
Step 1: Tokens field is empty Step 2: Enter the token and click Add

Step 3: Verify the token is added

Topology © Copyright IBM Corporation 2022, 2023

Figure 4-19. Lab tips

© Copyright IBM Corp. 2023 4-22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Unit 5. Scope-based groups

Estimated time
00:45

Overview
This unit shows you how to configure another event reduction technique: scope-based groups.
You also see how groups can be combined into super groups, to achieve even greater event
reduction.

© Copyright IBM Corp. 2023 5-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Unit objectives • Learn about scope-based groups

• Understand super groups

© Copyright IBM Corporation 2023

Figure 5-1. Unit objectives

© Copyright IBM Corp. 2023 5-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Scope-based groups
Scope-based group: a group of events that share the same value of a resource attribute and
arrive around the same time.

Events from applications Events from storage Events from

that are part of the same arrays assigned to the equipment in the
Service same Department same Location

Service=ShoppingCart Department=Research Location=Istanbul-Labs

Scope-based groups © Copyright IBM Corporation 2022, 2023

Figure 5-2. Scope-based groups

You can group events together based on known relationships in your IT systems. Scope-based
policies copy the value of a specified event field to the ScopeID field of the event. Incoming events
that meet the conditions of a scope-based policy and are enriched by copying a value to their
ScopeID field. Events that have the same ScopeID value and arrive around the same time are
grouped together.
Consider the three examples on this slide.
Applications example: A collection of applications compose a service. Events from these
applications all have the value shoppingCart in their Service field. The ScopeID is set to the
value of Service by a policy. All events where ScopeID='shoppingCart' that arrive within 300
seconds of each other are grouped.
Line of business example: A collection of storage arrays are assigned to the research team.
Events from these arrays all have the value Research in their Department field and the string
storage in their node name. The ScopeID is set to the value of Department by a policy. All events
where node contains 'storage' AND Department='Research' that arrive within 2 minutes of
each other are grouped.
Location example: Events from equipment in a specific location all have the value Istanbul-Labs
in their Location field. The ScopeID is set to the value of Location by a policy. All events where
Location='Istanbul-Labs' that arrive within 10 minutes of each other are grouped.

© Copyright IBM Corp. 2023 5-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Configuring scope-based groups

Scope-based groups © Copyright IBM Corporation 2022, 2023

Figure 5-3. Configuring scope-based groups

Create a policy to start using scope-based groups. To create a policy, define the following details:
• Name: A unique name for the policy.
• Description: A meaningful description.
• Priority: The priority of the policy.
• Condition: Set conditions so the policy can select which events to enrich.
• Action: The event field you want to copy to ScopeID.
• Time window/quiet period: The time period in which events with the same ScopeID are
grouped together. Or, the number of seconds that need to pass with no further events, after
which the system will stop including events in each occurrence of each group.

© Copyright IBM Corp. 2023 5-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Viewing scope-based groups

Example: events from applications

that are part of the same Service
and arrive around the same time.

Scope-based groups © Copyright IBM Corporation 2022, 2023

Figure 5-4. Viewing scope-based groups

Scope-based groups are effective at event reduction. Users see fewer overall events when using
Scope-based groups. In this example, seven events have been combined into a single parent
event using scope-based groups.
Users see a Venn diagram icon in the Grouping column of event lists. The Venn diagram icon
represents a scope-based group. Clicking on one of the Venn diagram icons in the group takes
users to a detail page, where they can see more information about the group and the scope.

© Copyright IBM Corp. 2023 5-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Super groups
Super group: a group of events that have been joined together from other groups.

Scope-based groups © Copyright IBM Corporation 2022, 2023

Figure 5-5. Super groups

When events are in more than one group, scope-based groups can overlap with other groups. The
IBM Cloud Pak for AIOps automatically combines scoped-based groups with other groups to
create super groups. This event super group function achieves further event and ticket reduction.
In this example, a event from a node named computer1000 is in two groups: a topology group and
a scope-based group. The Venn diagram icon and the topology icon represent the type of each
group. AIOps has combined the two groups into a super group; reducing nine events into a single,
actionable parent event.

© Copyright IBM Corp. 2023 5-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Unit summary • Learn about scope-based groups

• Understand super groups

© Copyright IBM Corporation 2023

Figure 5-6. Unit summary

© Copyright IBM Corp. 2023 5-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Review questions
1. What is a super group?
a. A group of events that have been joined together from other groups.
b. The global grouping setting, used to disable grouping.
c. A group of events that all come from the same node.
d. A group of events that are more important to the business than other events.

2. What is a scope-based group?

a. A group of events from scoping management software.
b. A group of events that are always suppressed.
c. A group of events that share the same value of a resource attribute and arrive around the same time.
d. A group of events that are always escalated.

Scope-based groups © Copyright IBM Corporation 2023

Figure 5-7. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 5-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Review answers
1. What is a super group?
a. A group of events that have been joined together from other groups.
b. The global grouping setting, used to disable grouping.
c. A group of events that all come from the same node.
d. A group of events that are more important to the business than other events.
The answer is A.
2. What is a scope-based group?
a. A group of events from scoping management software.
b. A group of events that are always suppressed.
c. A group of events that share the same value of a resource attribute and arrive around the same time.
d. A group of events that are always escalated.
The answer is C.

Scope-based groups © Copyright IBM Corporation 2023

Figure 5-8. Review answers

© Copyright IBM Corp. 2023 5-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Exercise: Scope-based groups

Figure 5-9. Exercise: Scope-based groups

© Copyright IBM Corp. 2023 5-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Exercise • Configure a scope-based group policy

objectives • Combine a scope-based group with a topology group to
form a super group

© Copyright IBM Corporation 2023

Figure 5-10. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 5-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 5. Scope-based groups

Uempty

Lab tips
• This exercise depends on a topology group that you created in an earlier unit: Unit 4 “Topology.” Before you
continue, be sure to complete section 6 of the Topology unit.

Scope-based groups © Copyright IBM Corporation 2022, 2023

Figure 5-11. Lab tips

© Copyright IBM Corp. 2023 5-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Unit 6. Runbooks
Estimated time
00:45

Overview
This unit shows you how to work with runbooks, which operators use to fix incoming problems.
These runbooks can be automated, so that the fix can be run at the push of a button; or configured
to run without any human interaction at all.

© Copyright IBM Corp. 2023 6-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Unit objectives • Learn how to create runbooks

• Learn how to match runbooks to incoming events
• Examine runbook history

© Copyright IBM Corporation 2023

Figure 6-1. Unit objectives

© Copyright IBM Corp. 2023 6-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

About runbooks
• IBM Runbook Automation is an easy-to-use service that empowers IT Operations
Management teams to:
ƒ Create, manage, and execute guided tasks and automated activity
ƒ Quickly set up event-triggered automated guidance and actions
ƒ Interoperate with management and collaboration tools, both cloud-based and on-premises
ƒ Automatically track runbook and automation execution activity statistics
ƒ Share expertise: SMEs can author runbooks once; users access their knowledge repeatedly

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-2. About runbooks

IT systems are growing. The number of events is increasing, and the pressure to move from
finding problems to fixing them is increasing. IBM runbook automation assists operational and
expert teams in developing consistent and reliable procedures for daily operational tasks.
Use IBM runbook automation to build and execute runbooks that help IT staff solve common
operational problems. IBM runbook automation can automate procedures that do not require
human interaction, thereby increasing the efficiency of IT operations processes. Operators can
spend more time innovating and are freed from performing time-consuming manual tasks.
A runbook is a controlled set of automated and manual steps that support system and network
operational processes. A runbook orchestrates all types of infrastructure elements, like
applications, network components, or servers.

Benefits of runbook automation

Problems addressed:
• Persistent delays, disruption, and risk of error from:
▪ Organizational complexity and team disparity
▪ Varying skill sets
▪ Reliance on manual effort and the resulting errors
Solutions delivered:
• Create, manage, and execute guided tasks and automated activity
• Quickly set up event-triggered automated guidance and actions
• Interoperate with management and collaboration tools, both cloud-based and on-premises

© Copyright IBM Corp. 2023 6-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty
• Automatically track runbook and automation execution activity statistics
• Share expertise across your team

© Copyright IBM Corp. 2023 6-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Journey to automation with runbooks

Three types of runbooks:
• Manual runbooks: A step describes the exact procedure an operator should follow. The
operator applies the fix manually using their standard tools.
• Semi-automated runbooks: Each step describes exactly what an operator
should do. The operator simply pushes a button to run an automated task on a target system.
• Fully-automated runbooks: The runbook is automatically selected in response to a trigger
and run without operator attention.

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-3. Journey to automation with runbooks

Using IBM runbook automation, you can record standard manual activities, so that they are run
consistently across the organization. To simplify these tasks further, the next step is to replace
manual steps with automated tasks, and it allows your organizations to travel the automation
maturity curve:
• Start with standard manual activities that are documented, being consistent across the
organization.
• Replace manual steps with automated tasks.
• Transition to fully automated procedures.
There are three types of runbooks, each requires different levels of human interaction:
• Manual runbooks: A step-by-step description of the exact procedure an operator should
follow. Operators use their standard tools (for example: terminal emulator, putty, GitHub) to
interact with the target system.
• Semi automated runbooks: Each step describes exactly what an operator should to do, and
the operator simply pushes a button to execute an automated task on a target system.
• Fully automated runbooks: The runbook is selected by the system as response to a trigger
and executed without operator attention. The results of the runbook are stored for technical
review.

© Copyright IBM Corp. 2023 6-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbook personas
The IBM Cloud Pak for AIOps includes tools for the following personas within your team:
• Authors create and edit runbooks, along with other runbook service objects
• Users or operators run runbooks that have been created for them and leave feedback

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-4. Runbook personas

There are two categories of tools to use when working with runbooks:
• Authoring and configuration tools: subject matter experts on your team author runbooks,
create runbook objects, and view feedback. Administrators configure connections to target
systems.
• User tools: Users run runbooks and leave feedback. If configured, users can run runbooks
from an event list.

© Copyright IBM Corp. 2023 6-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbook parameters

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-5. Runbook parameters

Runbooks can include parameters. Parameters can be used as variables that get substituted by a
value in the text of a runbook step, or in an automated step. The value of these parameters can be:
• Populated by the user at runtime by the user
• Populated with default values by the runbook author
• Automatically populated with values from an IT event
• Automatically populated from a previous step in the runbook
In this example, a manual runbook guides users through the process of restarting a DB2 database
instance. The runbook has two parameters: HOSTNAME and DB2INSTANCE. This is because the
runbook needs the host where the database is running and the name of the instance to restart the
instance. In this example runbook, the user starts by entering values for HOSTNAME and
DB2INSTANCE. After the parameters are populated, the text in the runbook substitutes the two
parameters with the user-defined values.

© Copyright IBM Corp. 2023 6-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Connections to target systems

The runbook service connects to target systems to perform an action, such as
restart a process, or read a status. The following connection types are available:
• SSH: Run scripts and stream commands
• HTTP interface: Use HTTP methods to connect to a web service
• Ansible Tower: Use the automation features of Ansible Tower
• GitHub external runbook library: Retrieve runbook content from a GitHub repository

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-6. Connections to target systems

In the case of semi-automated and fully-automated runbooks, the runbook service connects to
the target systems and takes an action. There are several ways to connect to your target systems:
• With SSH: IBM runbook automation can run scripts and stream commands over SSH to target
systems. The runbook service saves the output of the command or script.
• With an HTTP interface: You can use HTTP methods such as GET, POST, and DELETE to
connect the runbook service to a web service. The runbook service saves the response.
• With Ansible Tower: Use the automation features of Ansible Tower, such as playbooks, job
templates, job workflow templates, credential management, and the integration of external
version control systems for playbooks.
• GitHub external runbook library: A special-use connection. Used to retrieve runbook content
from a GitHub repository.

© Copyright IBM Corp. 2023 6-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbook automations
Automations are pushbuttons for users that connect to a target system and take an action.
Automations can be included in semi-automated and fully automated runbooks.

• Automations depend on
connections to target
systems
• Automation types correspond
to connection types (for
example SSH or HTTP)

Automation configuration page

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-7. Runbook automations

With semi-automated and fully-automated runbooks, users use push buttons to run commands.
These buttons are called automations. When users click a Run button, the runbook service
connects to the target system and executes some action.
This example shows the configuration of a runbook automation named FTP_SERVICE_STATUS. The
automation in this example connects to a server and streams a command to it using SSH.
This pushbutton automation is a key to consistently. With automations like this example, runbook
users cannot make a mistake entering commands because they do not need to enter any
commands.

© Copyright IBM Corp. 2023 6-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Running a runbook

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-8. Running a runbook

This example shows a semi-automated runbook. The user simply clicks the Run button and the
runbook service connects to the target system and runs the command for the user. The user then
sees the output of the command and the result and can more on to the next step.
After all steps in the runbook are complete, users are prompted to leave feedback.

© Copyright IBM Corp. 2023 6-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Creating runbooks

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-9. Creating runbooks

Runbooks are quick and easy to create. Runbook authors use a simple tool to build runbooks.

© Copyright IBM Corp. 2023 6-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbook triggers

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-10. Runbook triggers

Triggers match incoming events to runbooks that are likely to fix the problem. End users can
select an event in an event list, then start a runbook to fix the problem that caused the event.
Triggers perform the following actions:
• Match incoming events to runbooks based on conditions within the event
• Events that match runbooks are enriched with runbook details, such as RunbookID and
RunbookStatus.
• Parse text from events to use as parameter values
• Fully-automated runbooks start by themselves in response to matching events
This slide shows the trigger configuration page. In this example, events that meet the following
conditions are matched to a runbook named Fix FTP Service.
Summary='FTP service provided by vsftpd is down' AND Service='FTP'
The trigger also reads the Node field of the incoming event and uses it to populate a parameter
within the selected runbook: HOST.

© Copyright IBM Corp. 2023 6-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbooks and events

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-11. Runbooks and events

Runbooks are delivered to end users in event lists. If an event matches a runbook, users click the
dot in the Runbook column in an event list to learn more about the runbook and run it.
WebGUI users can launch a runbook with a right-click tool.

© Copyright IBM Corp. 2023 6-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbook history

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-12. Runbook history

Runbook authors and approvers can view runbook history. With runbook history, you can:
• View the results of runbooks that have run in the past. If the runbook contained an
automation, the output of the target system is saved in the runbook’s history.
• Compare user feedback from different versions of your runbook. This makes it easy to see if
your runbook improves as you edit it over time.
• See the average time it took to run each version of the runbook.
You can offload historic runbook executions to a file, to reduce the footprint of the database and
increase database performance.

© Copyright IBM Corp. 2023 6-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Example user feedback

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-13. Example user feedback

After all steps in the runbook are complete, users are prompted to leave feedback:
• The user can give a star rating to the runbook to indicate how useful it was or how well it
worked. This star rating is visible to other runbook users and runbook authors.
• The user can add a comment. This comment will be visible to runbook authors.
• The user must click either Runbook did not work or Runbook worked to exit. This action is
used to calculate the success rate of the runbook.
Feedback helps your team's subject matter experts and runbook authors know if the runbook was
clear and worked as intended, or if it needs improvement.

© Copyright IBM Corp. 2023 6-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Runbook statistics dashboard

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-14. Runbook statistics dashboard

The user interface includes a runbook statistics dashboard. This dashboard shows data about
runbooks that have run in the past.
The runbook statistics dashboard is divided into two sections: runbook metrics are displayed on
the left and runbook execution records are shown on the right.

© Copyright IBM Corp. 2023 6-16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Unit summary • Learn how to create runbooks

• Learn how to match runbooks to incoming events
• Examine runbook history

© Copyright IBM Corporation 2023

Figure 6-15. Unit summary

© Copyright IBM Corp. 2023 6-17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Review questions
1. True or False: The runbook service can connect to a target using SSH.
2. What is a runbook trigger?
a. A runbook trigger matches incoming events to runbooks that are likely to fix the problem.
b. A runbook trigger enables or disables all runbooks.
c. A runbook trigger starts AI training jobs.
d. A runbook trigger is a JDBC driver, used to read and write data to internal databases.

Runbooks © Copyright IBM Corporation 2023

Figure 6-16. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 6-18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Review answers
1. True or False: The runbook service can connect to a target using SSH.
The answer is True
2. What is a runbook trigger?
a. A runbook trigger matches incoming events to runbooks that are likely to fix the problem.
b. A runbook trigger enables or disables all runbooks.
c. A runbook trigger starts AI training jobs.
d. A runbook trigger is a JDBC driver, used to read and write data to internal databases.
The answer is A.

Runbooks © Copyright IBM Corporation 2023

Figure 6-17. Review answers

© Copyright IBM Corp. 2023 6-19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Exercise: Runbooks

Figure 6-18. Exercise: Runbooks

© Copyright IBM Corp. 2023 6-20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Exercise • Create a connection from the runbook service to a target

objectives system
• Create automations
• Create, test, and use runbooks
• Use triggers to map runbooks to incoming events
• View runbook history

© Copyright IBM Corporation 2023

Figure 6-19. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 6-21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 6. Runbooks

Uempty

Lab tips
• The SSH connection will not work if you don't save the key in a file named: authorized_keys
in the location: /home/netcool/.ssh
• Triggers must have a description. You cannot save a trigger without a description.

Runbooks © Copyright IBM Corporation 2022, 2023

Figure 6-20. Lab tips

© Copyright IBM Corp. 2023 6-22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Unit 7. Triggers
Estimated time
01:00

Overview
Triggers are an automated way to alter data, including event data, in the central Event Manager
database. This unit teaches you how to create and use triggers.

© Copyright IBM Corp. 2023 7-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Unit objectives • Learn to interact with Event Manager using an SQL interface
• Understand how triggers change events in the Event Manager
database

© Copyright IBM Corporation 2023

Figure 7-1. Unit objectives

© Copyright IBM Corp. 2023 7-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Topics • ObjectServer structure and SQL

• Automations and triggers

© Copyright IBM Corporation 2023

Figure 7-2. Topics

© Copyright IBM Corp. 2023 7-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
7.1. ObjectServer structure and SQL

ObjectServer
structure and SQL

Figure 7-3. ObjectServer structure and SQL

© Copyright IBM Corp. 2023 7-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

What is an ObjectServer?
• An ObjectServer is the central database where Event Manager stores events
• An ObjectServer is a collection of multiple databases
• ObjectServers:
ƒ Receive event data from probes, webhooks, and other and monitors
ƒ Process event data using tools and automations
ƒ Transfers event data using gateways
ƒ Displays event data to the user
• ObjectServers come in pairs for redundancy: a primary ObjectServer and a backup
ObjectServer
• ObjectServers can be deployed in tiers to process high volumes of events, for example a
collection tier to receive events along with an aggregation tier to process events

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-4. What is an ObjectServer?

ObjectServers are the central data stores within Event Manager, including the database where all
events are stored.

© Copyright IBM Corp. 2023 7-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

ObjectServer databases
Initially, the ObjectServer has the following databases, among others:
• alerts: Alert data, and event list configuration
• catalog: System catalog containing Object Server metadata (can be viewed but not modified)
• custom: Database for tables added by users
• iduc_system: Channel setup for accelerated event notification (AEN)
• master: Compatibility with previous releases; Desktop ObjectServer tables
• persist: Triggers, procedures and signals
• security: Authentication information for users, roles, groups, permissions
• service: service.status table for service display (used mostly with monitors)
• tools: User tools and menu structure
• transfer: Used by the ObjectServer gateways

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-5. ObjectServer databases

The ObjectServer is typically referred to as a memory resident database. In reality, it is a

collection of multiple databases. This slide contains a list of key databases that are defined in any
ObjectServer. A user with the appropriate authority can add a database to the ObjectServer. Users
can also add their own databases, database tables, and columns in a database table.
The ObjectServer is case-sensitive. All of the default databases are defined with names that
contain all lowercase letters. Any use of the actual database name, in an SQL statement, for
example, must reference the name in lowercase.
One important table is named alerts.status, which is used to store normalized event records. The
alerts.status table defines the structure of the event records.

© Copyright IBM Corp. 2023 7-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

ObjectServer structure: alerts.status

Key fields in the alerts.status table:

• Identifier • Tally
• Serial • ExpireTime
• ServerSerial • Severity
• ServerName • OwnerUID/GID
• StateChange • AlertGroup
• FirstOccurrence • AlertKey
• LastOccurrence • Manager
• Type • Summary
• Acknowledged • Class
• Node
Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-6. ObjectServer structure: alerts.status

The ObjectServer table alerts.status defines the structure of the Event Manager event record.
Event Manager probes, webhooks, and other monitors populate the alerts.status table.
In the example of a probe, the probe collects information from some source, and breaks the
information into pieces referred to as tokens. The probe assigns a token to a column in the
alerts.status table. The probe populates the table by creating an SQL INSERT statement. That
statement is forwarded to the ObjectServer, and causes a record to be created in the
alerts.status table.
This slide lists some of the key fields in the alerts.status table:
• Identifier: This is the unique identifier for the alerts.status database and is key to event
deduplication. It is essential that the identifier identifies repeated events appropriately.
• Serial: This is an automatically populated field and is a unique reference for an event within a
particular ObjectServer. Event Manager automatically assigns a number to this field when a
new event arrives in the ObjectServer.
• ServerSerial and ServerName: Unique values for the server that received the event first. This
is important for architectures with multiple ObjectServers and gateways.
• StateChange: This is a time field updated by triggers. Event Manager updates this field with
the current time each time the state of an event changes (either from the data source or the
ObjectServer).
• FirstOccurrence: This is a time field that is updated by triggers. It contains a timestamp of
when the event first arrives in the ObjectServer. It should not subsequently be changed.
• LastOccurrence: This is a time field updated by triggers. It contains a timestamp of the last
occurrence of the event. Unlike FirstOccurrence, its value changes if another instance of the
same event arrives.

© Copyright IBM Corp. 2023 7-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
• Type: An integer field and can generally take three values: 0, 1 and 2. A type of 0 means that
the type has not been set. A type of 1 means that the event is a problem event (link down, for
example). A type of 2 means that the event is a resolution event (link up).
• Acknowledged: Events in Event Manager can be acknowledged by a user. It is this field that
represents the acknowledgement of an event. It is an integer field but behaves as a Boolean:
0=unacknowledged and 1=acknowledged.
• Node: Identifies the managed entity from which the alarm originated. This could be a device or
host name, service name, application name, or other entity. The Node column must contain
the name of the entity which allows direct communication, or can be resolved to allow direct
communication, with the entity.
• Tally: The ObjectServer maintains a count (or tally) of the total number of recurrences of an
event.
• ExpireTime: An integer field that can optionally be used to automatically remove events.
When set to a non-zero value, it represents the number of seconds that the event remains in
the ObjectServer. A trigger checks any event with a non-zero value. After the event has been in
the system for longer than the configured number of seconds, it is removed.
• Severity: This field denotes the severity or priority of the event within the ObjectServer. It is
an integer field and has these values by default:
▪ 0: Clear
▪ 1: Intermediate
▪ 2: Warning
▪ 3: Minor
▪ 4: Major
▪ 5: Critical
• OwnerUID: The owner ID of the event in alerts.status table.
• OwnerGID: The group ID of the event in alerts.status table.
• AlertGroup: The descriptive name of the failure type indicated by the alert. For example:
Interface Status or CPU Utilization.
• AlertKey: Indicates the managed object instance referenced by the alert. For example, the
disk partition indicated by a file system full alert or the switch port indicated by a utilization
alert.
• Manager: Normally denotes the data source that processed the event.
• Summary: A summary of the problem associated with the event.
• Class: A way of classifying equipment types in events. Enables tools to be assigned against
events of specific equipment types.

© Copyright IBM Corp. 2023 7-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

ObjectServer structure: alerts.details

Under certain circumstances you might be interested in the raw data from the probe:
ƒ When details tracking is enabled, data is stored in the alerts.details table as token-value pairs
ƒ You can view details from the Details tab in the Information window, which you access through the
Alerts menu for selected events
ƒ Details are linked to their respective events using the Identifier field, which is a primary key in both
the alerts.status and alerts.details tables
ƒ There is a 1-to-1 correspondence between events and details: one detail record (alerts.details)
possible for each event record (alerts.status)

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-7. ObjectServer structure: alerts.details

One of the primary roles of a data source such as a probe is to convert machine information from
the event source into human-readable text in the ObjectServer event record. There are times
when it might be important to see the original machine data, typically when debugging some
problem. You can configure the data source to send extra data to the ObjectServer whenever an
event is created. This additional data is saved in the alerts.details table. There is a database link
between alerts.status and alerts.details, which enables a user to view the details that are related
to a specific event.

© Copyright IBM Corp. 2023 7-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

ObjectServer structure: alerts.journal

When working with events, you might want to track the history of a particular event:
ƒ Who has owned it
ƒ What severity levels it has passed through
ƒ What automations have acted on it

Journals provide these functions:

ƒ Journal information is held in the alerts.journal table
ƒ Journals are linked to their respective events through the Serial field, which is a primary key
in both alerts.status and alerts.journal tables

There is a 1-to-n correspondence between events and journals

ƒ There can be n journal records (alerts.journal) for each event record (alerts.status)
Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-8. ObjectServer structure: alerts.journal

When working with events in Event Manager, you often want to track the history of an event. You
want to know who owns the event, what severity levels it passes through, what automations act
upon it, and more. You can use the journal to track the history. When a new journal entry is added,
the data is stored in the alerts.journal table.
The journal entry contains the name of the user, the date, time, and text that describes the
operation. This information provides an important chronological history of actions that are taken
against the event.
You can add entries to the journal manually. You can also add to the journal with a trigger.

© Copyright IBM Corp. 2023 7-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Introduction to ObjectServer SQL

• Subset of American National Standards Institute (ANSI) SQL
ƒ Includes some proprietary extensions

• Used throughout Event Manager in automations, tools, and filters

• Three general functional areas:

ƒ Data definition: ObjectServer structure and behaviour
ƒ Data manipulation: Triggers, tools
ƒ System administration: Command line

• This unit focuses on data manipulation

• ObjectServer data is case sensitive

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-9. Introduction to ObjectServer SQL

ObjectServer SQL is a subset of ANSI SQL, which is used widely throughout Event Manager. For
example, it is used in the SQL file that creates the ObjectServer, and is used in automations in the
ObjectServer. ObjectServer SQL commands can be roughly divided into three functional areas:
• Data Definition: Used in SQL files to define and create databases and tables
• Data Manipulation: Used by triggers, tools, and filters to retrieve, modify, and delete data
• System Administration: Used on the command line to manage the system
The data ObjectServer is case sensitive, including database names, table names, and column
names.
This unit covers data manipulation commands, which are useful for ObjectServer triggers.

© Copyright IBM Corp. 2023 7-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Command-line access
• The nco_sql command provides access to the ObjectServer's SQL interface
$OMNIHOME/bin/nco_sql –server <ObjectServer Name>
ƒ Requires ObjectServer user name and password
ƒ If not specified, root is the assumed user
ƒ The nco_sql command is available inside of ObjectServer containers and on computers
where ObjectServers run

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-10. Command-line access

Use the nco_sql tool to access the command-line SQL interface of an ObjectServer.
nco_sql –server <OBJECTSERVER_NAME> -user <NAME> –password <password>
If no user name is specified, the system assumes root.

© Copyright IBM Corp. 2023 7-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Viewing data with SELECT

Selecting events example:
SELECT * FROM alerts.status WHERE Severity = 5;

SELECT * retrieve all columns

FROM alerts.status from the alerts database and the status table
WHERE Severity = 5 that meet this condition

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-11. Viewing data with SELECT

Use the SELECT command to retrieve one or more rows or partial rows of data from an existing
table.
You can select an event with the following command:
select * from database.table where FieldName=condition;
Select all non-hidden columns:
select *
From the database and table specified:
from database.table
Using the following condition:
where FieldName=condition
In this example, the command retrieves all columns from the alerts.status table and displays
every record with a Severity of critical.
select * from alerts.status where Severity=5;

© Copyright IBM Corp. 2023 7-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Fields and operators

Selecting specific fields with multiple conditions
SELECT Summary, Class FROM alerts.status
WHERE Severity = 5 AND Node = 'batman';

Inequality comparisons
SELECT * FROM alerts.status WHERE Grade >= 3;

LIKE operator for string comparisons

SELECT * from alerts.status
WHERE Node LIKE '^bat.*';
LIKE is only used with char fields, often with regular expressions

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-12. Fields and operators

ObjectServer SQL supports the ability to retrieve specific fields or columns. The following example
only retrieves the Summary and Class fields.
select Summary, Class from alerts.status
ObjectServer SQL supports logical operators:
AND
OR
ObjectServer SQL supports comparison operators.
> greater than[or equal to] >=
< less than[or equal to] <=
<> Not equal to
LIKE and NOT LIKE are typically used in string comparisons and often in conjunction with regular
expressions. The following metacharacters are the most commonly used:
. Match any single character (for example, link.n matches link2n, not link21n)
* Match none or more of the previous characters (for example, link* matches lin, link, or
linkkk)
+ Match one or more of the previous characters (for example, link+ matches link, linkkk but
not lin or linxk)
[ ] Match any single character within the given range (for example, link[0-5] matches link2 but
not link9)
^ Ensure that the pattern matches at the beginning of the string (for example, ^link.* matches
linknorth, but not northlink)

© Copyright IBM Corp. 2023 7-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
$ Ensure that the pattern matches at the end of the string (for example, .*link$ matches
northlink but not linknorth)
In regular expressions, a backslash (\) escapes special characters (match literal value).
The NOT keyword inverts the result of any comparison.

© Copyright IBM Corp. 2023 7-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

IN operator and subqueries

Use IN to compare a value to a list of values
SELECT * FROM alerts.status WHERE Node IN ('batman', 'catwoman', 'robin');

Can also use IN with subqueries

SELECT * FROM alerts.status WHERE Serial IN (( SELECT Serial FROM
alerts.journal ));
The example retrieves all events with a journal entry

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-13. IN operator and subqueries

The IN list comparison operator compares a value to a list of values.

Example:
select * from alerts.status where Severity IN (1,3,5)
The query returns the rows in which Severity is equal to the number 1, 3 or 5.
Subqueries are complex conditions that match a value with the results of another select
statement, possibly on another database.

© Copyright IBM Corp. 2023 7-16

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Modifying data with UPDATE and SET

The UPDATE command changes table data
• Single field
UPDATE alerts.status SET Severity = 5
WHERE Severity = 4 AND Acknowledged = 0;

• Multiple fields
UPDATE alerts.status
SET Severity = 5, Service = 'Web Host‘
WHERE Grade = 4 AND Customer like 'ISP';

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-14. Modifying data with UPDATE and SET

The UPDATE command updates columns in an existing row of data in a table.

Update statement updates a database.table set assignment where condition.
Update the records:
update
Set the following assignment:
set assignment
Where the following condition is true:
where condition

In this case, the asterisk or field name is not required. The statement updates the table that is
defined, using the set assignment, based on the where condition.
For example, this statement first locates any record in the alerts.status table with a Severity of 3.
It changes the Severity to 4 for every record found.
update alerts.status set Severity=4 where Severity=3;

© Copyright IBM Corp. 2023 7-17

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Creating data with INSERT

The INSERT INTO command adds a row to a table
INSERT INTO alerts.status (Node, Severity, Summary, Identifier)
VALUES ('was1', 5, 'Disk Util 95%', 'was1DiskUtil95')

Removing data using DELETE

The DELETE command removes one or more rows from an existing table

DELETE FROM alerts.status WHERE Severity=0;

Deleted events cannot be recovered

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-15. Creating data with INSERT

The INSERT command creates a new row of data in an existing table. If you are not inserting
values for every column in the row, you can specify a comma-separated list. This list has columns
that are inserted within parentheses, followed by the VALUES keyword, followed by a
comma-separated list of values within parentheses.
INSERT statement
insert into database.table (IntegerField, StringField, InetgerField2,
StringField2) values (3, 'text', 3, 'more text');
String field values are single-quoted. You must specify a value for the primary key columns in the
INSERT command.
UPDATING keyword
The optional UPDATING keyword forces the specified columns to be updated if the insert is
deduplicated.
Example:
insert into status (Identifier, Severity, Tally, Serial) values
('ConrolMachineStats15', 5, 12, 21) updating (Severity);
In the preceding example, a new record is inserted into the alerts.status table. The new record
will have the following four fields specified.
• Identifier: ControlMachineStats15
• Severity: 5
• Tally: 12
• Serial: 21

© Copyright IBM Corp. 2023 7-18

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
If a record already exists in alerts.status with the same identifier, then deduplication occurs.
During deduplication, only specific fields are updated, and Severity is not one of them. By
including the updating (Severity) text, the ObjectServer is forced to update the Severity field.
Without that text, the Severity field does not change.
Delete statement
This statement deletes the rows from the table using the specified condition, for example:
delete from database.table where condition;
This statement removes every record from alerts.status that is Green/Clear (Severity=0):
delete from alerts.status where Severity=0;

Note

The action takes place immediately, and the result is permanent.

© Copyright IBM Corp. 2023 7-19

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

The administrator tool and the SQL workbench

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-16. The administrator tool and the SQL workbench

The Event Manager administrator tool is a powerful configuration tool that helps you customize
and manage ObjectServer databases. The administrator tool is a thick client, which you download
and install with the ObjectServer on-premises software. The administrator tool connects to
ObjectServers in your environment, whether your ObjectServers are on-premises or running in
Red Hat OpenShift.
The administrator tool includes a tool called the SQL workbench. This tool helps you create and
validate SQL commands.
This slide shows an SQL statement in the SQL workbench, along with a list of columns in the
alerts.status database.

© Copyright IBM Corp. 2023 7-20

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
7.2. Automations and triggers

Automations and
triggers

Figure 7-17. Automations and triggers

© Copyright IBM Corp. 2023 7-21

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Triggers (automations)
Triggers are a way to respond to events that happen within the ObjectServer.
Triggers are used for the following tasks, among others:
• Automate management of events
• Perform actions automatically on receipt of certain events
• Incorporate escalation procedures
• Correlate events

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-18. Triggers (automations)

Triggers detect changes in the ObjectServer and run automated responses to these changes. This
enables the ObjectServer to process alerts without requiring an operator to take action.
Triggers are also called automations.

© Copyright IBM Corp. 2023 7-22

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Trigger types
There are three types of triggers:
• Database: A database condition exists in ObjectServer
• Temporal: This trigger runs on a timed basis
• Signal: A system or user-defined signal was raised

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-19. Trigger types

There are three types of triggers.

• Database: A database trigger activates based on a change to a database table. The trigger
defines the name of the database table, and what type of change activates the trigger.
• Temporal: A temporal trigger is activated based on a frequency. For example, a temporal
trigger can activate once every minute.
• Signal: A signal trigger activates based on the occurrence of a special event, which is called a
signal. The ObjectServer includes a collection of system signals. An example of a system
signal is the connect signal. The connect signal is raised when a component connects to the
ObjectServer. You can define a user signal. When you create a user signal, you define the
conditions that are related to the signal. The ObjectServer raises system signals automatically.
A user signal is typically raised manually with a tool.

© Copyright IBM Corp. 2023 7-23

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Trigger general settings

• Trigger name • State

• Trigger group ƒ Debug: Logging to message log
(ObjectServer log file)
• When: valid SQL condition ƒ Enabled: Enable or disable trigger. Both
• Action, which can be one or more of these the trigger and trigger group must be
enabled for the trigger to fire
types:
ƒ SQL action • Priority
ƒ SQL procedure ƒ Set trigger fire order (1 –20), 1 being
highest
• Comment: description of trigger
• Declare local variables

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-20. Trigger general settings

When you create a trigger, you must configure some settings. Some of the setting values are
common across all trigger types. Some triggers do not use some settings.
Trigger names are character strings. A trigger name cannot contain spaces or special characters
except for the underscore. The trigger name must be unique.
Triggers are organized into trigger groups. You must choose a group when you create a trigger.
The WHEN setting is used to configure an optional condition that must be met before a trigger can
activate. The condition that is defined in the WHEN setting is in addition to the type of trigger. For
example, you create a temporal trigger with a frequency of every hour. The trigger activates every
hour. If you create a WHEN condition, the trigger runs every hour only if the WHEN condition is
met.
The ACTION setting contains the commands that run when the trigger is activated. The
commands are typically one or more SQL commands.

© Copyright IBM Corp. 2023 7-24

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Trigger groups

• Use Trigger Groups to manage multiple triggers

• Each trigger must belong to only one Trigger Group, but can be moved
between groups
• A Trigger Group can only be deleted if empty

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-21. Trigger groups

Triggers are organized into trigger groups. Trigger groups are used to organize and control one or
more triggers.
A trigger group has a name, and the name has the same constraints as a trigger name. A trigger
group can be used to control the activation of multiple triggers. If you disable a trigger group, you
prevent the activation of all triggers that belong to that group.

© Copyright IBM Corp. 2023 7-25

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

WHEN clause
You can determine when the trigger fires:
• Day of week
• Time of day
• Severity at a certain level:
new.Severity>3
• Deduplication period is below a certain amount:
(new.LastOccurrence - new.FirstOccurrence) < 60

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-22. WHEN clause

The WHEN setting is used to define a condition that must be met before a trigger activates. A user
might create a trigger to automatically delete certain events from the ObjectServer that runs once
every hour. After the trigger is enabled, the trigger activates every hour, on every day of the week.
The user might not want the trigger to remove events on Saturday or Sunday. The user can add a
WHEN condition to the trigger to test for the day of the week. In the WHEN condition, the user
specifies that the trigger does not activate on Saturday or Sunday. After the WHEN condition is
added, the trigger activates once every hour on every day of the week except Saturday or Sunday.

© Copyright IBM Corp. 2023 7-26

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Trigger actions
• Trigger actions are SQL code blocks
• They can be designed to manipulate data in the action statement itself
• They can run a predefined procedure

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-23. Trigger actions

The ACTION contains the commands that run when the trigger activates. The ACTION can contain
a single SQL command, a block of commands, or a command that runs a procedure.

© Copyright IBM Corp. 2023 7-27

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Commonly used SQL commands

A body statement can contain one or more SQL commands:
ALTER <ObjectServer Object>
UPDATE
INSERT
DELETE
WRITE INTO
RAISE SIGNAL{ EXECUTE | CALL } PROCEDURE
CANCEL
BREAK
IF / THEN / ELSEIF
CASE / WHEN
FOR / FOR EACH ROW
SET <TypedObject> = <TypedValue>

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-24. Commonly used SQL commands

This slide contains a list of some of the SQL commands that you can use within an SQL code block.
These commands are commonly used in triggers.

© Copyright IBM Corp. 2023 7-28

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

SQL code blocks: IF THEN ELSE

The IF THEN ELSE statement performs one or more actions based on the specified conditions.
Syntax:

IF condition THEN
action_command_list
[ELSEIF condition THEN optional
action_command_list
...]
[ELSE optional
action_command_list]
END IF;

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-25. SQL code blocks: IF THEN ELSE

ObjectServer SQL is used to implement logical controls within any code block. The most common
way is by using an IF() statement.
For instance, you might want to implement the logic that if Grade is 99, do one thing; else if Grade
is 98, do something else. You can use IF() blocks for this task.

© Copyright IBM Corp. 2023 7-29

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

SQL code blocks: FOR EACH ROW

The FOR EACH ROW loop performs actions on a set of rows that match a certain condition
Syntax:

FOR EACH ROW variable_name in database_name.table_name

[ WHERE condition ]
BEGIN
action_command_list;
END;

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-26. SQL code blocks: FOR EACH ROW

You can use the FOR EACH ROW loop to perform actions on a set of rows that match a certain
condition. The following example increases the severity of all alerts in the alerts.status table that
have a severity of 3 to a severity of 4.
FOR EACH ROW alert_row in alerts.status WHERE alert_row.Severity=3
BEGIN
SET alert_row.Severity = 4;
END;

Triggers that use FOR EACH ROW are also known as a row-level triggers.
About the EVALUATE clause
Generally, use of the EVALUATE clause is relatively inefficient and its use should be avoided
whenever possible. When a trigger contains an EVALUATE clause, a temporary table is created to
hold the results of the SELECT statement in the EVALUATE clause. The amount of time and
resources that this temporary table consumes depends on the number of columns that are
selected and the number of rows matched by the condition in the WHERE clause.
In most cases, you can replace an EVALUATE clause with a FOR EACH ROW clause which cursors
over the data and does not incur the processor usage of creating a temporary table.
A suitable use for an EVALUATE clause is when a GROUP BY clause is being applied to an SQL
query.

© Copyright IBM Corp. 2023 7-30

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Trigger response sequence

An automation, or trigger, fires when certain conditions occur in the ObjectServer:
• Time
• Database action
• Signal
The WHEN clause determines whether the action should run:
• Condition to meet before running the action
• Can determine time of day or day of week first
The EVALUATE statement builds a read-only temporary table to be used in the action
• Use of the EVALUATE clause is relatively inefficient and its use should be avoided whenever
possible
• In most cases, you can replace an EVALUATE clause with a FOR EACH ROW clause
Action runs the SQL code block
Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-27. Trigger response sequence

In summary, triggers activate based on three types of conditions: time, database change, and
signal. When the trigger activates, an optional WHEN clause is evaluated. If the WHEN condition is
met, the trigger continues. The optional EVALUATE setting creates a temporary table that contains
records that meet some condition. The ACTION setting contains the commands that run.

© Copyright IBM Corp. 2023 7-31

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Temporal trigger example

The delete_clears trigger:

SETTINGS every 1 minute

WHEN [ not used ]

EVALUATE [ not used ]

ACTION begin
delete from alerts.status
where Severity = 0 and
StateChange < (getdate() - 120);
end

COMMENT Delete clear (Green) alerts over 2 minutes old in

alerts.status every 60 seconds

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-28. Temporal trigger example

A temporal trigger activates based on a time frequency. Do not confuse time in this case with time
of day. The frequency defines how frequently the trigger activates, not when it activates. For
example, a temporal trigger with a frequency of 1 hour activates every hour. The trigger might not
activate on even hour boundaries, for example, 8:00, 9:00, 10:00. The activation is based on when
the ObjectServer starts. After the ObjectServer starts, the trigger activates every hour.

Example: the delete_clears trigger

The delete_clears trigger performs a basic housekeeping function, ensuring that clear (Severity
= 0) events are removed from the ObjectServer alerts.status table after a period of inactivity.
This trigger is a temporal trigger, so the Settings tab indicates that it runs every minute.
The When tab is empty in this trigger, indicating that it always runs.
The Evaluate tab permits building a temporary result set. This set is not needed in this trigger, so it
is empty.
The Action tab contains the SQL statement that accomplishes the work of this trigger:
begin
delete from alerts.status
where Severity = 0 and
StateChange < (getdate() - 120);
end

© Copyright IBM Corp. 2023 7-32

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Database trigger example

The deduplication trigger:

SETTINGS before a reinsert action into alerts.status

WHEN [ not used ]

ACTION begin
set old.Tally = old.Tally + 1;
set old.LastOccurrence = new.LastOccurrence;
set old.StateChange = getdate();
set old.InternalLast = getdate();
set old.Summary = new.Summary;
set old.AlertKey = new.AlertKey;
if ((old.Severity = 0)and(new.Severity > 0))
then
set old.Severity = new.Severity;
end if;
end

COMMENT Deduplication processing for alerts.status

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-29. Database trigger example

One of the key features of the ObjectServer is data deduplication. This feature provides for
significant event volume reduction by storing a single copy of an event regardless of how many
times it repeats.
In a database trigger, the ObjectServer looks for a database operation to occur against a table,
rather than a time interval. The database operation can be Delete, Insert, Reinsert, or Update. The
Pre/Post Action selector determines whether the action executes before or after the specified
database operation.
Apply to Row/Statement, if set to row (the default), means that the contents of the Action tab run
as many times as there are rows selected. When set to Statement, the action runs only once,
regardless of how many rows were affected.
On the Action tab, triggers also have access to the implicit variables new and old, whose values
are automatically set by the system.
• Row fields before change: old.fieldname (for example, old.Severity)
• Row fields before change: new.fieldname (for example, new.Severity)
In some operations, new or old row variables might not be available. For example, if a row is
deleted, there is no new row to read or modify. The availability of implicit variables depends on
the database operation performed.

Example: the deduplication trigger

The deduplication trigger is an example of a database trigger. The Settings tab indicates that it
fires on a reinsert (an attempted insert into a table where the unique key already exists) into
alerts.status.

© Copyright IBM Corp. 2023 7-33

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
The When tab is empty, so it always runs.
The Evaluate tab is not used in this trigger.
The Action tab updates fields on the existing event selectively (replacing the existing old values
with the incoming new values). It also increments the Tally, and only updates the Severity if it had
already been set to clear (0).

© Copyright IBM Corp. 2023 7-34

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Signal trigger example

The connection_watch_connect trigger:

SETTINGS Trigger on a connect signal

WHEN [ not used ]

EVALUATE [ not used ]
ACTION
begin
if( %signal.description = '' ) then
insert into alerts.status (Identifier, Summary, … OwnerUID)
values (%signal.process+'@'+%signal.node+' connected '+
to_char(%signal.at), … 65534);
else
insert into alerts.status (Identifier, Summary, … OwnerUID)
values (%signal.process+':'+%signal.description+'@'+%signal.node+
'connected '+to_char(%signal.at), … 65534);
end if;
end

COMMENT Create an alert when a new client connects

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-30. Signal trigger example

A signal is an occurrence in the ObjectServer that can be detected and acted upon. Signals can
have triggers attached to them. The ObjectServer can then respond with a specific action when a
signal is raised.
System signals are raised by the ObjectServer on changes to the system, for example:
• System startup, system shutdown
• Client connect, client disconnect, connection failure
• Backup success or failure
When a system signal is raised, attributes that identify the cause of the signal are attached to the
signal:
%signal.at, %signal.server, %signal.node
These attributes cannot be deleted or modified.
The Settings tab lets you choose the signal to execute this trigger. The signal can be a System or
User signal.
The When, Evaluate, and Action tabs function as in previous types of triggers covered.
The ObjectServer includes several system triggers, which are signal triggers. System triggers are
raised automatically based on some condition. For example, the connect system signal is raised
when a component connects to the ObjectServer. A disconnect signal is raised when a component
disconnects from the ObjectServer. If a signal trigger is configured based on the connect signal,
the trigger activates and creates a new event when a component connects to the ObjectServer.

© Copyright IBM Corp. 2023 7-35

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty
Signal triggers are used to automate numerous system functions, for example:
• Auditing: The triggers generate ObjectServer events when administrative changes are made,
such as the addition of new fields in an ObjectServer table.
• Profiling: Triggers collect and report statistics regarding the performance of the ObjectServer.
• Connections: Triggers generate events that are based upon connects, disconnects, and
connection failures.
• Failover and Failback: Triggers are used to implement controlled failover and failback in
ObjectServer high availability configurations
You can create user signals. For user signals, the signal must be raised in some fashion. The signal
can be raised with a tool, or from within another trigger. For example, a database trigger can be
configured to activate based on a DELETE to the alerts.status table. In the ACTION section of the
database trigger, you can configure a statement to RAISE a user signal.

Example: the connection_watch_connect trigger

The connection_watch_connect trigger inserts a new event into the ObjectServer when client
components connect.
The Settings tab indicates that it executes based upon a connection signal.
The When and Evaluate tabs are empty. The trigger always runs, and no temporary table is built.
The Action tab might look complicated (the example in the slide has been shortened). However,
the action inserts one type of event if the %signal.description attribute is null, and another type if
it is not.

© Copyright IBM Corp. 2023 7-36

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Procedures
Procedures are executable code called to perform common operations.
• Two types of procedures:
ƒ SQL procedures manipulate data in an ObjectServer database
ƒ External procedures run an executable on a remote system
• Can call procedures from nco_sql, a trigger, or a tool
• Syntax:
{EXECUTE|CALL} [ PROCEDURE ] procedure_name(expr,...);

• Example:
EXECUTE PROCEDURE myproc();
or with parameters:
EXECUTE PROCEDURE myproc(“text”,@Node);

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-31. Procedures

Procedures are objects that can be called in SQL to perform an SQL operation or an external
operation. A procedure is similar to a macro in a programming language. It is a prebuilt collection
of code (SQL statements) that can be called from another process. The behavior of the procedure
can be adjusted, based upon variables (parameters) that are passed to the procedure when
called.
The procedures are stored in an appropriate table in the ObjectServer. The tables are
catalog.sql_procedures or catalog.external_procedures.
An External Procedure calls a script to run on the ObjectServer machine or any other machine
defined in process activity (PA). The process must be in the form of a script, and can accept
command-line parameters passed as variables from the caller. External procedures can accept
only IN type parameters. After the script is launched, it cannot return parameters back to the
caller.
You must run process activity (PA) to use external procedures. The external procedure is called
within the ObjectServer. The ObjectServer notifies process activity that a command must be run
on a host. The ObjectServer passes the host, user, and command name to process activity. The
process activity daemon runs the command.

© Copyright IBM Corp. 2023 7-37

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Adding journal entries with a trigger

• Create a journal entry with the JINSERT stored procedure:
call jinsert( old.Serial, %user.user_id, getdate, 'This is my journal entry');
• Must change old.Serial to whatever is appropriate

• Example using the mail_on_critical trigger:

begin
for each row critical in criticals
begin
execute send_email( critical.Node, critical.Severity, 'Critical Event Email',
'root@localhost', critical.Summary, 'localhost');

update alerts.status via critical.Identifier set Grade=2;

execute jinsert( critical.Serial, %user.user_id, getdate, 'Email sent via

mail_on_critical Automation');
end;
end

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-32. Adding journal entries with a trigger

This slide shows the definition for the jinsert procedure. The jinsert procedure creates a journal
record. The parameters values identify the corresponding event record, and the message to place
in the journal entry. You can use this procedure to create a journal entry when a trigger modifies
an event record.
In this example, the mail_on_critical trigger has been revised to call the jinsert procedure to
produce a journal entry.

© Copyright IBM Corp. 2023 7-38

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Trigger best practices

• In a WHERE clause, compare integers first, then characters. Leave intensive comparisons
and regular expressions for last
• Ensure trigger does not catch events already managed
• Stagger trigger priorities so that they do not all run at the same time
• Add a description for all automations
• Event Manager comes with standard triggers that you can change to meet customer
needs
ƒ The best practice for modifying a trigger is to create a copy, disable the original, and modify the
copy
ƒ ATTENTION: You can modify existing triggers, but changes can affect the running of the
ObjectServer

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-33. Trigger best practices

When constructing the expression in the where clause, pay attention to type of field. Perform all
integer testing first (Severity=5), character processing next (Node=XYZ), and regular expression
testing last.
When creating the filter condition, include criteria that ensures that the trigger does not select the
same event over and over. This is important because triggers are designed to perform automated
actions.
If multiple temporal triggers are defined to run at the same frequency (for example, every five
minutes), stagger the priority settings among them. Staggering them ensures that they do not all
run at the same time.
Triggers are a powerful and useful feature. Most teams introduce new triggers periodically to
resolve some operational situation. Over time, it might be difficult to determine why a trigger
exists and what it was designed to accomplish. Take the time to add a short description to any
new triggers. Consider capturing details, such as when the trigger was created, the author, and
why the trigger was created.
Avoid editing the standard triggers that come with Event Manager. Instead, make a copy of the
existing trigger and edit the copy.

© Copyright IBM Corp. 2023 7-39

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Unit summary • Learn to interact with Event Manager using an SQL interface
• Understand how triggers change events in the Event Manager
database

© Copyright IBM Corporation 2023

Figure 7-34. Unit summary

© Copyright IBM Corp. 2023 7-40

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Review questions
1. True or False: A temporal trigger runs on a timed basis.
2. Which is the best way to insert a journal entry when an ObjectServer trigger fires?
a. The JINSERT stored procedure.
b. The AUTO_TRIGGER stored procedure.
c. With the topology service.
d. With the runbook service.

Triggers © Copyright IBM Corporation 2023

Figure 7-35. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 7-41

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Review answers
1. True or False: A temporal trigger runs on a timed basis.
The answer is True.
2. Which is the best way to insert a journal entry when an ObjectServer trigger fires?
a. The JINSERT stored procedure.
b. The AUTO_TRIGGER stored procedure.
c. With the topology service.
d. With the runbook service.
The answer is A.

Triggers © Copyright IBM Corporation 2023

Figure 7-36. Review answers

© Copyright IBM Corp. 2023 7-42

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Exercise: Triggers

Figure 7-37. Exercise: Triggers

© Copyright IBM Corp. 2023 7-43

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Exercise • Interact with the Event Manager ObjectServer using an SQL

objectives interface
• Create and test a temporal trigger

© Copyright IBM Corporation 2023

Figure 7-38. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 7-44

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 7. Triggers

Uempty

Lab tips
• This exercise depends on steps you completed earlier in labs for Unit 2: “Incoming
integrations.” Before you continue, be sure to complete the labs for the “Incoming
integrations” unit of this course.
• After 10 minutes of inactivity, the Event Manager Administrator tool logs you out. If this
happens, double-click the ObjectServer to open the tool again. If you are logged out, you also
see errors in the terminal. You can safely ignore errors like these:
ERROR : Code-0 : Mon Jan 30 14:52:57 EST 2023 : bastion.labs.ihost.com/10.100.1.8 :
TextEditorPanel.getFullWordAt : : Exception: Invalid location
ERROR : Code-0 : Mon Jan 30 14:52:58 EST 2023 : bastion.labs.ihost.com/10.100.1.8 :
TextEditorPanel.getFullWordAt : : Exception: Invalid location
ERROR : Code-0 : Mon Jan 30 14:52:59 EST 2023 : bastion.labs.ihost.com/10.100.1.8 :
TextEditorPanel.getFullWordAt : : Exception: Invalid location
ERROR : Code-0 : Mon Jan 30 14:53:00 EST 2023 : bastion.labs.ihost.com/10.100.1.8 :
TextEditorPanel.getFullWordAt : : Exception: Invalid location

Triggers © Copyright IBM Corporation 2022, 2023

Figure 7-39. Lab tips

© Copyright IBM Corp. 2023 7-45

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Unit 8. User management

Estimated time
00:45

Overview
This unit discusses how to manage user access to the Event Manager user interfaces.

© Copyright IBM Corp. 2023 8-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Unit objectives • Learn how to add users and groups

• Understand roles

© Copyright IBM Corporation 2023

Figure 8-1. Unit objectives

© Copyright IBM Corp. 2023 8-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Event Manager LDAP integration

IBM Cloud Pak for AIOPs uses LDAP for authentication:
• You can use your own enterprise LDAP server with the LDAP proxy option
• You can choose to install an included OpenLDAP server with Event Manager
• This unit focuses on the included OpenLDAP server that installs with Event Manager

User management © Copyright IBM Corporation 2022, 2023

Figure 8-2. Event Manager LDAP integration

If you run the IBM Cloud Pak for AIOPs Event Manager on Red Hat OpenShift, users must be
created in one of two ways:
• With the OpenLDAP interface, if you are using on the included OpenLDAP pod that comes with
Event Manager on OpenShift
• On your own enterprise LDAP server, if you are using the LDAP proxy option

© Copyright IBM Corp. 2023 8-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty
Adding users and groups with the WebSphere
Administrative Console

User management © Copyright IBM Corporation 2022, 2023

Figure 8-3. Adding users and groups with the WebSphere Administrative Console

If you use the included OpenLDAP pod that comes with Event Manager on OpenShift, you can use
the WebSphere Administrative Console to manage users and groups.

© Copyright IBM Corp. 2023 8-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Adding users and groups directly to OpenLDAP

newExampleUser.ldif
dn: uid=jdeans,ou=users,dc=mycluster,dc=icp Apply with:
objectClass: top
objectClass: person ldapadd -c -x -w $LDAP_BIND_PWD -D $LDAP_BIND_DN
objectClass: organizationalPerson -H ldapi:/// -f newExampleUser.ldif
objectClass: inetOrgPerson
cn: Jeanie Deans
uid: jdeans
givenName: Jeanie Deans
sn: jdeans
userPassword: p@ssw0rd Apply with:
ldapmodify -w $LDAP_BIND_PWD -D $LDAP_BIND_DN
addExampleUserToGroup.ldif -H ldapi:/// -f addExampleUserToGroup.ldif

dn: cn=icpadmins,ou=groups,dc=mycluster,dc=icp
changetype: modify
add: member
member:
uid=jdeans,ou=users,dc=mycluster,dc=icp

User management © Copyright IBM Corporation 2022, 2023

Figure 8-4. Adding users and groups directly to OpenLDAP

You can add users and groups directly to the OpenLDAP server that comes with Event Manager on
OpenShift.
To add and modify objects to OpenLDAP directly:
1. Connect directly to the pod named evtmanager-openldap-0, which runs the OpenLDAP
server.
2. After you are connected to the pod, create an .ldif text file to configure the objects you want.
3. Finally, run an ldap command to apply the configuration in your new file.
In this example, the file named newExampleUser.ldif decribes a user id: jdeans. After you
create this file in the pod, you run the ldapadd command to add the user in the file to the
OpenLDAP server running in the pod.
Next, the file named addExampleUserToGroup.ldif describes a change: modify the icpadmins
group by adding jdeans as a member. After you create this file in the pod, you run the ldapmodify
command to add the user to the group.

© Copyright IBM Corp. 2023 8-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

DASH Roles
IBM Dashboard Application Services Hub (DASH) provides visualization and dashboard
services. DASH includes roles that can be associated with users or groups.
• User roles: the permissions in the role are granted to a single user
• Group roles: the permissions in the role are granted to a group of users

A best practice is to assign roles to groups, rather than users.

User management © Copyright IBM Corporation 2022, 2023

Figure 8-5. DASH Roles

What is DASH?
IBM Dashboard Application Services Hub (DASH) provides visualization and dashboard services.
DASH has a single console for administering IBM products and related applications.
DASH relies on an application named IBM Jazz for Service Management (JazzSM). JazzSM
provides shared integration services, such as data, administrative, dashboard, reporting, and
security.
The WebGUI uses a client/server architecture and it is hosted inside DASH. Users connect to
DASH to access the WebGUI.
All of these user interface components run in an application server. WebSphere Application Server
is the web application server used to run Jazz for Service Management and its dependent
applications: DASH and WebGUI.
IBM Cloud Pak for AIOps running in Red Hat OpenShift uses LDAP for user authentication. The
following applications are configured to use a common federated user repository:
• IBM Dashboard Application Services Hub
• IBM Jazz for Service Management
• WebSphere Application Server
This means that users of all products that are in your instance Dashboard Application Services
Hub can be administered centrally.
About DASH roles
DASH includes roles that can be associated with users or groups. Groups logically categorize
users into units with common functional goals. Roles determine the data that users and groups
can view, and the actions that they can perform.

© Copyright IBM Corp. 2023 8-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty
A best practice is to assign roles to groups, rather than users.

© Copyright IBM Corp. 2023 8-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Key roles
The following roles grant permission to the features described in this course:

• inasm_admin • ncw_gauges_viewer
• inasm_editor • ncw_user
• inasm_operator • netcool_ro

• iscadmins • netcool_rw

• iscusers • noi_engineer

• ncw_admin • noi_lead

• ncw_dashboard_editor • noi_operator

• ncw_gauges_editor

User management © Copyright IBM Corporation 2022, 2023

Figure 8-6. Key roles

This slide is a list of roles that are important for Event Manager users and administrators. These
roles provide the following permissions:
inasm_operator: A user with the inasm_operator role can access the Topology UI, and use it to
search for and visualize the resources in the topology service core application.
inasm_editor: The same permissions as inasm_operator, plus a user with the inasm_editor role
can add comments to resources from the Topology Viewer Context (right-click) menu. (A user with
the inasm_operator role can view comments, but not add new ones.)
inasm_admin: The same permissions as inasm_editor, plus a user with the inasm_admin role has
access to administrator tools, where they can define custom UI elements for the Topology Viewer.
iscadmins: This role grants access to the Dashboard Application Services Hub administrative
features.
iscusers: Users who are assigned this role can access the DASH welcome page and access their
credential store. All users have this role by default.
ncw_admin: Users with the ncw_admin role have access to the administrative functions of
WebGUI and the AIOps user interface.
ncw_dashboard_editor: A user with this role can edit event dashboards, which are monitor boxes
that show evens by category.
ncw_gauges_editor: A user with this role can edit the Gauges page and widgets, which display
self-monitoring data about Event Manager.
ncw_gauges_viewer: Users with this role can view Event Manager self-monitoring data on a
Gauges page.

© Copyright IBM Corp. 2023 8-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty
ncw_user: This role is the base that defines users as able to access the Web GUI and the AIOps
user interface. All users require this role.
netcool_ro: This role gives read only access to event management functions in the user
interfaces.
netcool_rw: This role gives read and write access to event management functions in the user
interfaces.
The following three roles provide access to event analytics and runbook features:
noi_operator
Event Analytics: The noi_operator role can open the Incident Viewer from the Event
Viewer, but cannot click-through on the seasonality and grouping icons in the Incident
Viewer. The Temporal group or Seasonal event panels are not available with this role. The
See more info option is not available on individual events with this role. Also, policies
cannot be approved or rejected with this role.
Runbook: View alerts and run the runbooks that are linked to those alerts. This role does
not have read access to the runbook library or other runbook pages.
noi_engineer
Event Analytics: The noi_engineer role can perform all operations on the UI, except for
managing policies.
Runbook: Like noi_operator, plus full read/write access to the runbook pages (Library,
Execution, Automations, Triggers).
noi_lead
Event Analytics: The noi_lead role can perform all operations on the UI. With the noi_lead
role, you can manage policies. This feature is not available to other roles.
Runbook: Like noi_engineer, plus full access to the administration of automation
connections and API keys, and full access to the runbook settings.

© Copyright IBM Corp. 2023 8-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Unit summary • Learn how to add users and groups

• Understand roles

© Copyright IBM Corporation 2023

Figure 8-7. Unit summary

© Copyright IBM Corp. 2023 8-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Review questions
1. True or False: You can use the WebSphere Administrative Console to manage users and
groups.
2. Which role is used to work with topology?
a. inasm_admin
b. topology_user
c. topology_admin
d. ibm_all_admin

User management © Copyright IBM Corporation 2023

Figure 8-8. Review questions

Write your answers here:

1.
2.

© Copyright IBM Corp. 2023 8-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Review answers
1. True or False: You can use the WebSphere Administrative Console to manage users and
groups.
The answer is True.
2. Which role is used to work with topology?
a. inasm_admin
b. topology_user
c. topology_admin
d. ibm_all_admin
The answer is A.

User management © Copyright IBM Corporation 2023

Figure 8-9. Review answers

© Copyright IBM Corp. 2023 8-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Exercise: User management

Figure 8-10. Exercise: User management

© Copyright IBM Corp. 2023 8-13

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Exercise • Create users and groups in LDAP

objectives • Add roles to LDAP groups

© Copyright IBM Corporation 2023

Figure 8-11. Exercise objectives

These are the tasks you complete during the lab exercises for this unit.

© Copyright IBM Corp. 2023 8-14

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 8. User management

Uempty

Lab tips
• During your lab, you will log in and out of the user interfaces several times to test new users
• Close the browser between user sessions for best results

User management © Copyright IBM Corporation 2023

Figure 8-12. Lab tips

© Copyright IBM Corp. 2023 8-15

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Unit 9. Summary
Estimated time
00:10

Overview
This unit summarizes what you have learned, and directs you to other resources to help you
continue learning.

© Copyright IBM Corp. 2023 9-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Unit objectives • Explain how the course met its learning objectives
• Identify IBM credentials that are related to this course
• Locate resources for further study and skill development

© Copyright IBM Corporation 2023

Figure 9-1. Unit objectives

© Copyright IBM Corp. 2023 9-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Course • Describe the event management capabilities of the IBM Cloud Pak
for AIOps
objectives
• Connect Event Manager to incoming data sources
• Work with Temporal and seasonal event analytics
• Configure the Event Manager topology service
• Create scope-based groups
• Create runbooks and map them to incoming events
• Work with triggers
• Manage users

© Copyright IBM Corporation 2023

Figure 9-2. Course objectives

© Copyright IBM Corp. 2023 9-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

IBM credentials: Badges and certifications

• Certify your skills with IBM digital credentials
ƒ https://www.ibm.com/training/credentials

Get certified Take an exam Search badges News

Search IBM certification Search exams available for Find IBM badges for skill Catch up on the latest IBM
offerings across a broad the IBM Professional development activities and credential news.
range of technology areas. Certification program. other achievements.

https://ibm.biz/BdqW6Z https://ibm.biz/BdqW6Y https://ibm.biz/BdqW62 https://ibm.biz/BdqW6z

Summary © Copyright IBM Corporation 2023

Figure 9-3. IBM credentials: Badges and certifications

© Copyright IBM Corp. 2023 9-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Learn more about this product

The SWAT Explains: AIOps video series is
publicly available educational material, which
is published on YouTube. This video series is a
set of deep-dive discussions by IBM technical
staff. You can view the video series here:

https://ibm.biz/swat_explains

Summary © Copyright IBM Corporation 2023

Figure 9-4. Learn more about this product

© Copyright IBM Corp. 2023 9-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Additional resources (1 of 5)
• IBM Cloud Education course information
ƒ View and download course materials and
course corrections.
ƒ http://ibm.biz/CourseInfo

• IBM Developer
ƒ IBM's official developer program offers access
to software trials and downloads, how-to
information, and expert practitioners.
ƒ https://developer.ibm.com/

© Copyright IBM Corporation 2023

Figure 9-5. Additional resources (1 of 5)

© Copyright IBM Corp. 2023 9-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Additional resources (2 of 5)
• IBM Automation Community
ƒ Learn about Blockchain, Blueworks Live, BPM,
Workflow, Case, Content Management,
Decision Management, Robotic Process
Automation, Platform, and Cloud Pak for
Automation
ƒ https://community.ibm.com/community/user/
automation/home

• IBM Middleware User Community

ƒ Learn about API Connect, App Connect, MQ,
DataPower, Aspera, Event Streams, and Cloud
Pak for Integration
ƒ https://community.ibm.com/community/user/
middleware/communities/cloud-integration-
home
© Copyright IBM Corporation 2023

Figure 9-6. Additional resources (2 of 5)

© Copyright IBM Corp. 2023 9-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Additional resources (3 of 5)
• IBM Training
ƒ Search the IBM Training website for courses
and education information.
ƒ https://www.ibm.com/training

• Learning Journeys
ƒ Learning Journeys describe a recommended
collection of learning content to acquire skills
for a specific technology or role.
ƒ https://www.ibm.com/training/journeys/#tab-
ibm-cloud

© Copyright IBM Corporation 2023

Figure 9-7. Additional resources (3 of 5)

© Copyright IBM Corp. 2023 9-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Additional resources (4 of 5)
• IBM Redbooks
ƒ IBM Redbooks are developed and published by
the IBM International Technical Support
Organization (ITSO). Redbooks typically provide
positioning and value guidance, installation and
implementation experiences, typical solution
scenarios, and step-by-step "how-to" guidelines.
ƒ http://www.redbooks.ibm.com/

• IBM Documentation
ƒ IBM Documentation is the primary home for IBM
product documentation.
ƒ https://www.ibm.com/docs

© Copyright IBM Corporation 2023

Figure 9-8. Additional resources (4 of 5)

© Copyright IBM Corp. 2023 9-9

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Additional resources (5 of 5)
• IBM Marketplace
ƒ Learn about IBM offerings for Cloud, Cognitive,
Data and Analytics, Mobile, Security, IT
Infrastructure, and Enterprise and Business
Solutions.
ƒ https://www.ibm.com/products

• IBM Training blog, Twitter, and Facebook

ƒ Official IBM Training accounts provide
information about IBM course offerings,
industry information, conference events, and
other education-related topics.
ƒ https://www.ibm.com/blogs/ibm-training
ƒ https://twitter.com/ibm
ƒ https://www.facebook.com/groups/IBMTrainin
gandSkills

© Copyright IBM Corporation 2023

Figure 9-9. Additional resources (5 of 5)

© Copyright IBM Corp. 2023 9-10

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Unit summary • Explain how the course met its learning objectives
• Identify IBM credentials that are related to this course
• Locate resources for further study and skill development

© Copyright IBM Corporation 2023

Figure 9-10. Unit summary

© Copyright IBM Corp. 2023 9-11

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0
Unit 9. Summary

Uempty

Course completion
You have completed this course:
Configuring IBM Cloud Pak for AIOps Event
Manager

Do you have any questions?

Summary © Copyright IBM Corporation 2023

Figure 9-11. Course completion

© Copyright IBM Corp. 2023 9-12

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V12.0

backpg

© Copyright International Business Machines Corporation 2023.