Record Types
Last updated on 27 March, 2023Insights in Dexda are based on alerts, which in turn are based on incoming events from monitored sources, automatically grouped together by machine learning processes. Events from different source formats are normalised and restructured into a homogeneous format. This enables Dexda to analyse and process events in the same way, regardless of their origin.
Incoming events are analysed, monitored and de-duplicated, and repeated series of events are stored in an event container. If the event is repeated an alert is created, and multiple events of the same type are added to the alert.
Note: Be aware that events and alerts are different things in Dexda. Events in Dexda are incoming alerts from LogicMonitor. Alerts are grouped alerts that become insights in Dexda when correlated.
The following describes data record types and formats used when storing information about events, alerts, and insights in the database. For information about the processing of events and alerts into insights, see About Insights.
Event Records
The Dexda agent processes events received and/or sent from supported event sources and normalises them into a Common Event Format (CEF).
CEF events are streamed into Dexda where they immediately enter the event management process. Once event processing is complete, the event is stored in the database and can be queried through the events index.
Event Record Format
The event field definitions are described in the following.
| Group | Column | Type | Description |
| _id | id | The ID of the database record. | |
| cf | The cf group of fields are populated by the event normalisation process. | ||
| eventTime | datetime | UTC timestamp of the source event. | |
| eventSource | string | The monitoring/management tool, application, log or API from which the event was generated. | |
| eventName | string | The name of the event reported, for example “Low Disk Space” or “High CPU Utilisation”. | |
| eventSeverity | integer | The numeric severity of the event, where: 6 is Fatal; 5 is Critical; 4 is Major; 3 is Minor; 2 is Warning; 1 is Information; 0 is Clear. The normalisation process for each supported event source automatically handles the conversion of “clear” or “reset” events to a Dexda Clear event. | |
| eventCI | string | The configuration item for which the event is being reported, for example a server or router hostname. | |
| eventObject | string | The object on the CI to which the event pertains, for example a disk or a database instance. Where events do not have a specific object, this field may be left empty. | |
| eventDescription | string | A short summary of the event. | |
| eventDetails | string | A verbose summary of the event. | |
| meta | The meta group of fields are populated by the event receiver service. | ||
| agentId | string | Agent ID. | |
| agentCI | string | Agent CI (configuration item). | |
| agentIp | Agent IP address. | ||
| agentTimestamp | Agent timestamp. | ||
| alertKey | Alert key. | ||
| alertKeyList | Alert key list. | ||
| domain | Tenant ID. | ||
| eventPipelineTimestamp | Pipeline timestamp. | ||
| eventTimestamp | Timestamp. | ||
| orgId | Organisation ID. | ||
| receiverId | Receiver ID. | ||
| receiverTimestamp | Receiver timestamp. | ||
| ruleMatchCount | Number of rules triggered. | ||
| ruleMatchIdList | Rule IDs triggered list. | ||
| version | Version. | ||
| raw.sourceRecord | Source record. | ||
| extra | The extra group of fields are populated by the event enrichment process. Fields are specific to each customer. | ||
| snc_cmdb_ci_environment | |||
| snc_cmdb_ci_lmdx_domain | |||
| snc_cmdb_ci_name | |||
| snc_cmdb_ci_operational_status | |||
| snc_cmdb_ci_sys_domain | |||
| snc_cmdb_ci_sys_id | |||
| snc_cmdb_ci_url |
Alert Records
An alert is created when the Create Alert action runs in response to an automatic rule firing. The Create Alert action creates a new alert record and copies the event fields from the triggering record to the alert.
Alert Record Format
The alert field definitions are described in the following.
| Group | Column | Type | Description |
| _id | id | The ID of the database record. | |
| cf | The cf group of fields are populated by the event normalisation process. See Event Records. | ||
| eventCI | Configuration item. | ||
| eventDescription | A short summary of the alert. | ||
| eventDetails | A verbose summary of the alert. | ||
| eventName | Name. | ||
| eventObject | Object. | ||
| eventSource | Source. | ||
| meta | The meta group of fields are populated by the event receiver service. See Event Records. | ||
| agentCI | Agent confiuration item. | ||
| agentId | Agent ID. | ||
| agentIp | Agent IP address. | ||
| agentTimestamp | Agent timestamp. | ||
| createdTimestamp | Created timestamp. | ||
| domain | Tenant ID. | ||
| eventCount | Number of events. | ||
| eventPipelineTimestamp | Pipeline timestamp. | ||
| eventTimestamp | Timestamp. | ||
| firstEventTimestamp | The time when the first event of the… was registered ?? | ||
| insightKeyList | Insight key list. | ||
| lastEventTimestamp | The time when the last event of the… was registered ?? | ||
| meta.link | Permanent URL. | ||
| orgId | Organisation ID. | ||
| receiverId | Receiver ID. | ||
| receiverTimestamp | Receiver timestamp. | ||
| rowKey | Original key. | ||
| updatedTimestamp | Updated timestamp. | ||
| version | Version number of the …?? | ||
| raw.sourceRecord | Source record. | ||
| extra | The extra group of fields are populated by the event enrichment process. Fields are specific to each customer. See See Event Records. | ||
| snc_cmdb_ci_environment | |||
| snc_cmdb_ci_lmdx_domain | |||
| snc_cmdb_ci_name | |||
| snc_cmdb_ci_operational_status | |||
| snc_cmdb_ci_sys_domain | |||
| snc_cmdb_ci_sys_id | |||
| snc_cmdb_ci_url | |||
| alertDetails | The alertDetails group of fields are populated by the default Create Alert action. | ||
| alertCreated | datetime | The eventTime of the event that triggered an alert creation. | |
| updatedTime | datetime | The eventTime of the last event with the same event index that occurred whilst the alertState has remained in a non-Closed state. | |
| alertCount | int | The number of times the event index (that triggered the alert) has repeated whilst the alertState has remained in a non Closed state. This process if often referred to as de-duplication. | |
| currentSeverity | int | The severity of the last event. | |
| bestSeverity | int | The lowest severity event contained within the alert’s de-duplicated event set. | |
| worstSeverity | int | The highest severity event contained within the alert’s de-duplicated event set. | |
| alertState | string | The state of the alert. | |
| actionedBy | Actioned by. | ||
| assignedTo | Name of the assigne for the alert. | ||
| ruleKey | Key for the rule hat was applied to… ?? | ||
| ruleName | Name of the rule that was applied to the alert generation. | ||
| ruleValue | Value of the rule…?? | ||
| sncIncidentId | ServiceNow incident ID. | ||
| sncIncidentPriority | ServiceNow incident priority. | ||
| sncIncidentUrl | Link to the ServiceNow incident. | ||
| sncRunbookId | ID of the applied ServiceNow runbook. | ||
| sncRunbookUrl | Link to the applied ServiceNow runbook. | ||
| workflowState | Alert escalation state. See About Insights. | ||
| snc | The snc group is populated by the Create Incident Action of the ServiceNow integration module. | ||
| sncIncidentID | string | The incident number returned from ServiceNow. | |
| sncIncidentURL | string | The incident URL returned from ServiceNow. |
Insight Records
Insights are created based on grouping of alerts using machine learning and patterns and alert severity from alert correlations.
Insight Record Format
The insight field definitions are described in the following.
| Group | Column | Type | Description |
| _id | id | The ID of the database record. | |
| meta | |||
| alertKeyList | Alert key list. | ||
| createdTimestamp | The time when the insight was created. | ||
| domain | Tenant ID. | ||
| firstEventTimestamp | First timestamp. | ||
| lastEventTimestamp | Last timestamp. | ||
| link | Permanent URL. | ||
| mlProcessorTimestamp | The time when the ML processor…?? | ||
| orgId | Organisation ID. | ||
| rowKey | Insight key. | ||
| state | The state of the inisght…?? See About Insights. | ||
| totalAlerts | Number of alerts. | ||
| updatedTimestamp | The time when the insights was last updated…?? | ||
| alertKeyList | Alert key list. | ||
| earliestEventTimestamp | The time when the first event associated with the insight was registered…?? | ||
| latestEventTimestamp | Latest event timestamp. | ||
| mlProcessorTimestamp | ML Processor timestamp. | ||
| ml | |||
| causalCI | Causal configuration item. The resource that caused the issue…?? | ||
| description | Description. A summary of the descriptions related to the insight…?? | ||
| impactedCIList | Impacted configuration items. | ||
| insightSeverity | The highest severity of alerts related to the insight…?? | ||
| modelIdList | Model ID list. | ||
| tagList | Tags derived from the correlation model, summarizing associated item descriptions and relevant keywords. | ||
| uiResult | ML UI result. | ||
| description | ML description. | ||
| modelIdList | Model ID list. | ||
| severity | ML severity. | ||
| source | ML source. | ||
| state | ML state. | ||
| insighttDetails | |||
| assignedTo | Assigned to. | ||
| sncIncidentId | ServiceNow incident ID. | ||
| sncIncidentPriority | ServiceNow incident priority. | ||
| sncIncidentUrl | Link to ServiceNow incident. | ||
| workflowState | Insight escalation state. See About Insights. |