The following examples show how alert enrichment works to enrich the Problem Area field of an alert to provide more valuable information, and how regex is used to extract information from the alert to enhance the Problem Area field.

Alert Enrichment

As an example, consider an SNMP Trap alert with the following description:

SNMPv2MIB::ColdStart (1.3.6.1.6.3.12.1.5.1)-A coldStart trap signifies that the SNMP entity is reinitializing itself.

Without alert enrichment, the alert has the following details:

Alert enrichment details before enrichment

If you use alert enrichment with this alert, you add valuable information to the Problem Area field, and the alert has the following details:

Alert enrichment details after enrichment

Regex

When you define alert enrichment policies, use regex to match the alert subject or description string. Regex can match one part of the subject or description with a regex expression or use regex groups to split the subject or description string into groups and select the text of the group you want to use. In the alert enrichment example, regex matching finds and extracts text from the alert description.

For example, consider the following alert description:

SNMPv2MIB::ColdStart (1.3.6.1.6.3.12.1.5.1)-A coldStart trap signifies that the SNMP entity is reinitializing itself.

Regex can match smaller parts of a text string using groups.

The following regex expression matches the different parts of the description:

^([A-Za-z1-9-:]+\s?) ([\(1-9\.\)]*)\-([A-Za-z1-9-\s\.]*)

The regular expression has three groups and produces one regex match with three regex group matches:

Match TypeMatched Value
MatchSNMPv2MIB::ColdStart (1.3.6.1.6.3.12.1.5.1)-A coldStart trap signifies that the SNMP entity is reinitializing itself.
Group 1SNMPv2MIB::ColdStart
Group 2(1.3.6.1.6.3.12.1.5.1)
Group 3A coldStart trap signifies that the SNMP entity is reinitializing itself.

The enrichment policy can use the whole match or one of the groups to enrich the problem area of the alert details.

In the following Policy Definition example, the regex expression parses the SNMP Trap Description, and the policy uses regex group 1 to enrich the Problem Area field:

Alert enrichment policy example