>
    Alert and Alarm Attributes
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. CloudBlades Integration and Deployment
    5. Prisma SD-WAN ServiceNow CloudBlade Integration
    6. Alert and Alarm Attributes
    Download PDF

    Alert and Alarm Attributes

    Table of Contents

    Alert and Alarm Attributes

    Each event contains a bunch of attributes that can be used to gain more information on the condition. Depending on the type of event, the attributes that constitute the event differ.
    An alarm typically consists of the following attributes:
    {    "_created_on_utc": "2021-07-15T05:48:39.121000Z",
    "_etag": 1,
    "_updated_on_utc": "2021-07-15T05:48:39.121000Z",
    "acknowledged": false,
    "acknowledgement_info": null,
    "cleared": false, 
   "code": "SITE_CONNECTIVITY_DEGRADED",
    "correlation_id": "6Qeqj3iD",
    "element_id": null,
    "entity_ref": "tenants/1092/sites/16015589439620037",
    "id": "60efcc376534671b7600e09f",
    "info": null,
    "notes": null,
    "policy_info": {
        "policy_applied_time": "2021-07-15T05:48:39.121000Z",
        "policyrule_id": null,
        "policyset_id": "16226851857240070"
    },
    "priority": "p3",
    "severity": "major",
    "site_id": "16015589439620037",
    "suppressed": false,
    "suppressed_info": {
        "event_ids": null,
        "other_reasons": null,
        "summary_event_ids": null,
        "suppressed_time": null
    },
    "time": "2021-07-15T05:10:00.098000Z",
    "type": "alarm"
}
    ID
    A unique ID used to identify an event.
    Code
    An event code which describes the event.
    Correlation ID*
    Correlation ID is a system-generated ID for a raised alarm. An Alarm is associated with two states – raise and clear. At any given time, there can be multiple alarms with the same event code in either a raised or cleared state. Using the Correlation ID, you may distinguish among alarms with the same event code.
    When an alarm is cleared, the Correlation ID will indicate that the specific alarm is cleared. This ID will continue to be associated with an alarm, even if the alarm is cleared or resolved.
    Time
    The time at which this condition was seen or the event was raised or cleared.
    Element ID
    ID of the device on which this condition was seen.
    Site ID
    If the device is associated with a site, site_id will also be packaged in the event. If not, this attribute is not present.
    Type
    This field indicates the event type i.e. alert or alarm.
    Severity
    Severity for alarms are based on the following categories:
    • Critical - Whole or part of a network is down, and requires immediate action.
    • Major - Network is impacted, and needs immediate attention.
    • Minor - Network is degraded, and needs attention soon.
    Entity Reference
    Entity reference refers to the specific entity where the alarming condition is seen. This string can be used as an API URI to query the entity using the Prisma SD-WAN SDK. In the example above, the entity_ref attribute contains information about the element that is disconnected from the controller.
    Info
    Info sheds more lights on the entity that is causing the alarming condition. It can contain information regarding interfaces, or IP addresses if there is a collision. The value in this field changes depending on the event code.
    Notes
    The Notes field is used to add remarks or comments to events. You can edit notes for active alarms only.
    Priority
    This attribute indicates the priority of the event or alarm.
    Suppressed
    Suppressed is a boolean attribute that indicates if the event is suppressed by the Prisma SD-WAN Event Correlation & Suppression engine.
    Suppressed Info
    If the event is suppressed, suppressed_info contains details about the suppression time and correlated event IDs.
    Policy Info
    If the event was updated using an event policy rule, the policy_info attribute contains details about the event policy set, event policy rule, and rule application time.
    Clear*
    This attribute is Boolean and indicates if the event condition still exists or is cleared. A value of True indicates that the condition no longer exists. When an alarm is raised, it is raised with Clear set to False.
    Acknowledged*
    This attribute is Boolean and indicates if an event has been acknowledged by a user. If acknowledged, the acknowledgement_info field contains the time and the user who acknowledged the event.
    (*) indicates it is not part of the Prisma SD-WAN alert.
    A Prisma SD-WAN alert contains most of these attributes except cleared, acknowledged and correlation_id - as alerts are not standing conditions. Here’s a sample alert:
    {
            "info": { 
               "name": "internet 1", 
                "circuit_labels": "Budapest-INET-VZ" 
           }, 
            "code": "DEVICEHW_INTERFACE_ERRORS", 
            "severity": "major", 
            "_updated_on_utc": "2019-12-23T14:04:34.736000Z",
             "site_id": "15282991838450011",
             "id": "5e00c972d7b0fa2f8cb418ce", 
            "entity_ref": "tenants/1083/sites/15282991838450011/elements/15230097588400085/interfaces/15230098062640233",  
           "correlation_id": null, 
            "time": "2019-12-23T14:04:31.395000Z",
             "element_id": "15230097588400085",
             "_created_on_utc": "2019-12-23T14:04:34.736000Z",
             "type": "alert",
             "_etag": 1
        }

    © 2024 Palo Alto Networks, Inc. All rights reserved.