Record Types

Last updated on 30 January, 2023

Insights in Dexda are based on alerts, which in turn are based on incoming events from monitored sources, automatically grouped together by machine learning processes. Events from different source formats are normalised and restructured into a homogeneous format. This enables Dexda to analyse and process events in the same way, regardless of their origin.

Incoming events are analysed, monitored and de-duplicated, and repeated series of events are stored in an event container. If the event is repeated an alert is created, and multiple events of the same type are added to the alert.

Note: Be aware that events and alerts are different things in Dexda. Events in Dexda are incoming alerts from LogicMonitor. Alerts are grouped alerts that become insights in Dexda when correlated.

The following describes data record types and formats used when storing information about events, alerts, and insights in the database. For information about the processing of events and alerts into insights, see About Insights.

Event Records

The Dexda agent processes events received and/or sent from supported event sources and normalises them into a Common Event Format (CEF).

CEF events are streamed into Dexda where they immediately enter the event management process. Once event processing is complete, the event is stored in the database and can be queried through the events index.

Event Record Format

The event field definitions are described in the following.

GroupColumnTypeDescription
_ididThe ID of the database record.
cfThe cf group of fields are populated by the event normalisation process.
eventTimedatetimeUTC timestamp of the source event.
eventSourcestringThe monitoring/management tool, application, log or API from which the event was generated.
eventNamestringThe name of the event reported, for example “Low Disk Space” or “High CPU Utilisation”.
eventSeverityintegerThe numeric severity of the event, where: 6 is Fatal; 5 is Critical; 4 is Major; 3 is Minor; 2 is Warning; 1 is Information; 0 is Clear. The normalisation process for each supported event source automatically handles the conversion of “clear” or “reset” events to a Dexda Clear event.
eventCIstringThe configuration item for which the event is being reported, for example a server or router hostname.
eventObjectstringThe object on the CI to which the event pertains, for example a disk or a database instance. Where events do not have a specific object, this field may be left empty.
eventDescriptionstringA short summary of the event.
eventDetailsstringA verbose summary of the event.
metaThe meta group of fields are populated by the event receiver service.
agentIdstringAgent ID.
agentCIstringAgent CI (configuration item).
agentIpAgent IP address.
agentTimestampAgent timestamp.
alertKeyAlert key.
alertKeyListAlert key list.
domainTenant ID.
eventPipelineTimestampPipeline timestamp.
eventTimestampTimestamp.
orgIdOrganisation ID.
receiverIdReceiver ID.
receiverTimestampReceiver timestamp.
ruleMatchCountNumber of rules triggered.
ruleMatchIdListRule IDs triggered list.
versionVersion.
raw.sourceRecordSource record.
extraThe extra group of fields are populated by the event enrichment process. Fields are specific to each customer.
snc_cmdb_ci_environment
snc_cmdb_ci_lmdx_domain
snc_cmdb_ci_name
snc_cmdb_ci_operational_status
snc_cmdb_ci_sys_domain
snc_cmdb_ci_sys_id
snc_cmdb_ci_url

Alert Records

An alert is created when the Create Alert action runs in response to an automatic rule firing. The Create Alert action creates a new alert record and copies the event fields from the triggering record to the alert.

Alert Record Format

The alert field definitions are described in the following.

GroupColumnTypeDescription
_ididThe ID of the database record.
cfThe cf group of fields are populated by the event normalisation process. See Event Records.
eventCIConfiguration item.
eventDescriptionA short summary of the alert.
eventDetailsA verbose summary of the alert.
eventNameName.
eventObjectObject.
eventSourceSource.
metaThe meta group of fields are populated by the event receiver service. See Event Records.
agentCIAgent confiuration item.
agentIdAgent ID.
agentIpAgent IP address.
agentTimestampAgent timestamp.
createdTimestampCreated timestamp.
domainTenant ID.
eventCountNumber of events.
eventPipelineTimestampPipeline timestamp.
eventTimestampTimestamp.
firstEventTimestampThe time when the first event of the… was registered ??
insightKeyListInsight key list.
lastEventTimestampThe time when the last event of the… was registered ??
meta.linkPermanent URL.
orgIdOrganisation ID.
receiverIdReceiver ID.
receiverTimestampReceiver timestamp.
rowKeyOriginal key.
updatedTimestampUpdated timestamp.
versionVersion number of the …??
raw.sourceRecordSource record.
extraThe extra group of fields are populated by the event enrichment process. Fields are specific to each customer. See See Event Records.
snc_cmdb_ci_environment
snc_cmdb_ci_lmdx_domain
snc_cmdb_ci_name
snc_cmdb_ci_operational_status
snc_cmdb_ci_sys_domain
snc_cmdb_ci_sys_id
snc_cmdb_ci_url
alertDetailsThe alertDetails group of fields are populated by the default Create Alert action.
alertCreateddatetimeThe eventTime of the event that triggered an alert creation.
updatedTimedatetimeThe eventTime of the last event with the same event index that occurred whilst the alertState has remained in a non-Closed state.
alertCountintThe number of times the event index (that triggered the alert) has repeated whilst the alertState has remained in a non Closed state. This process if often referred to as de-duplication.
currentSeverityintThe severity of the last event.
bestSeverityintThe lowest severity event contained within the alert’s de-duplicated event set.
worstSeverityintThe highest severity event contained within the alert’s de-duplicated event set.
alertStatestringThe state of the alert.
actionedByActioned by.
assignedToName of the assigne for the alert.
ruleKeyKey for the rule hat was applied to… ??
ruleNameName of the rule that was applied to the alert generation.
ruleValueValue of the rule…??
sncIncidentIdServiceNow incident ID.
sncIncidentPriorityServiceNow incident priority.
sncIncidentUrlLink to the ServiceNow incident.
sncRunbookIdID of the applied ServiceNow runbook.
sncRunbookUrlLink to the applied ServiceNow runbook.
workflowStateAlert escalation state. See About Insights.
sncThe snc group is populated by the Create Incident Action of the ServiceNow integration module.
sncIncidentIDstringThe incident number returned from ServiceNow.
sncIncidentURLstringThe incident URL returned from ServiceNow.

Insight Records

Insights are created based on grouping of alerts using machine learning and patterns and alert severity from alert correlations.

Insight Record Format

The insight field definitions are described in the following.

GroupColumnTypeDescription
_ididThe ID of the database record.
meta
alertKeyListAlert key list.
createdTimestampThe time when the insight was created.
domainTenant ID.
firstEventTimestampFirst timestamp.
lastEventTimestampLast timestamp.
linkPermanent URL.
mlProcessorTimestampThe time when the ML processor…??
orgIdOrganisation ID.
rowKeyInsight key.
stateThe state of the inisght…?? See About Insights.
totalAlertsNumber of alerts.
updatedTimestampThe time when the insights was last updated…??
alertKeyListAlert key list.
earliestEventTimestampThe time when the first event associated with the insight was registered…??
latestEventTimestampLatest event timestamp.
mlProcessorTimestampML Processor timestamp.
ml
causalCICausal configuration item. The resource that caused the issue…??
descriptionDescription. A summary of the descriptions related to the insight…??
impactedCIListImpacted configuration items.
insightSeverityThe highest severity of alerts related to the insight…??
modelIdListModel ID list.
tagListTags derived from the correlation model, summarizing associated item descriptions and relevant keywords.
uiResultML UI result.
descriptionML description.
modelIdListModel ID list.
severityML severity.
sourceML source.
stateML state.
insighttDetails
assignedToAssigned to.
sncIncidentIdServiceNow incident ID.
sncIncidentPriorityServiceNow incident priority.
sncIncidentUrlLink to ServiceNow incident.
workflowStateInsight escalation state. See About Insights.
In This Article