AIOps

AIOps

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Cloud Pak for AIOps 4 tips: clearing events in Netcool from AIOps

By Zane Bray posted 5 days ago

  

Netcool/OMNIbus is one of the most common sources of events that flow into IBM Cloud Pak for AIOps (AIOps). To avoid race conditions, alerts necessarily persist in AIOps until they are first deleted in Netcool/OMNIbus. This means therefore that normally we would have to wait for events to be removed from Netcool/OMNIbus first, via generic clear or some other automation, before they would be removed in AIOps.

To enable automation in AIOps, such as the alert expiry automation, as well as giving users the ability to remove alerts in AIOps that originate from Netcool/OMNIbus therefore, we need a mechanism that will remove the event in Netcool/OMNIbus when the alert gets cleared in AIOps. The deletion in Netcool/OMNIbus will then propagate back up to AIOps resulting in its closure and deletion there too.

This blog outlines a simple mechanism that leverages an AIOps policy and Netcool/Impact to enable this to happen.

The steps to construct such a mechanism are as follows:

  • Create a Netcool/Impact policy to clear the event in Netcool/OMNIbus
  • Create an AIOps policy to pass cleared Netcool alerts to Netcool/Impact for processing

CREATE A NETCOOL/IMPACT POLICY

Create a Netcool/Impact policy that takes the Identifier field passed to it from AIOps. The policy uses the Identifier passed to it to retrieve the Serial of the alert from OMNIbus, then both clears the event in Netcool/OMNIbus as well as adds a journal entry to say that the alert has been cleared as a result of the alert having been cleared in AIOps.

Here is a sample policy:

// AIOPS_ClearOMNIbusEvent
Log("AIOPS_ClearOMNIbusEvent: clearing alert with Identifier: " +
        EventContainer.identifier);
MySQL = "select Serial from alerts.status where Identifier = '" +
        EventContainer.identifier + "';";
MySerial = DirectSQL("defaultobjectserver", MySQL, false, false);
Log("AIOPS_ClearOMNIbusEvent: Serial is: " + MySerial[0].Serial);
MySQL = "update alerts.status set Severity = 0 where Identifier = '" +
        EventContainer.identifier + "';" +
        "call procedure jinsert(" + MySerial[0].Serial +
        ", 0, getdate(), 'This event was cleared in AIOps.');";
DirectSQL("defaultobjectserver", MySQL, false, false);

CREATE AN AIOPS POLICY

Next, log in to AIOps, select Automations from the hamburger menu, and click Create policyInvoke IBM Tivoli Netcool/Impact

Set up your Policy triggers section as follows:

NOTES:

  • Give your AIOps policy a name - for example: Clear OMNIbus event
  • Trigger entity should be Alert as we are clearing on a per-alert basis in Netcool/OMNIbus
  • Trigger entity type should be set to After an alert has been updated since we are performing this action when the alert is cleared in AIOps
  • Uncheck the Use default trigger condition since we want to perform this action specifically for cleared alerts in AIOps
  • Set Alert property to Value of: alert.state and set Change to changes

Set up your Condition sets as follows:

NOTES:

  • Ensure AND is selected since we want both of the criteria to be met
  • Add conditionAlert property: Value of: alert.stateequal toonlyclear
  • Add conditionAlert property: Value of: alert.sender.connectorTypeequal toonlyString: netcool
  • These conditions ensure only newly cleared alerts are processed and only ones that have originated in Netcool/OMNIbus

Set up your Invoke IBM Tivoli Netcool/Impact as follows:

NOTES:

  • Select your Netcool/Impact integration in the Impact connection box
  • Select your Netcool/Impact policy that you created earlier in the Impact policy box
  • Choose Customize under Impact policy parameter mapping options
  • Click on Edit parameter mapping to customise your parameter mapping

The alert.signature attribute in an AIOps alert holds the Identifier field of the event in Netcool/OMNIbus. We therefore need to configure the mapping to pass this attribute to the Netcool/Impact policy we have made by customising the parameter mapping so that Netcool/Impact can access the event in Netcool/OMNIbus.

Configure your parameter mapping as follows:

NOTES:

  • Configure your Jsonata transformation to include a single parameter called identifier that maps to alert.signature
  • View the sample result in the Input for Impact policy section
  • Click Save input to save your mapping

Your Parameter mapping preview should now look like the following:

Scroll back up to the top of the AIOps policy and check your settings. Click on Save at the top-right of the page to save your new policy.

TEST YOUR NEW AUTOMATION

Test out your new clearing mechanism by opening an Event List view into Netcool/OMNIbus via either WebGUI or by starting the Native Event List client, then clear one or more Netcool alerts in AIOps and inspect the results.

  • Open an Event List view in Netcool/OMNIbus - for example: $OMNIHOME/bin/nco_event -server AGG_P -user root
  • Filter on clear events in your Netcool/OMNIbus Event List view
  • Navigate to the AIOps Alert viewer by selecting Alerts from the main AIOps hamburger menu
  • Identify an alert that originated in Netcool/OMNIbus and clear the event via the AIOps Clear tool
  • Observe the alert in AIOps change to a Clear state
  • Observe the alert change to clear in the Netcool/OMNIbus Event List view (Severity = 0)
  • Inspect the journal to see the journal entry added by your Netcool/Impact policy

If everything is configured correctly, you should see something like the following:

You now have a mechanism that will enable the clearing and deletion of alerts from AIOps that have originated in Netcool/OMNIbus.

0 comments
10 views

Permalink

https://community.ibm.com/community/user/blogs/zane-bray1/2025/08/13/cloud-pak-for-aiops-4-tips-clearing-netcool-events