Other Fields

Events include numerous other standard fields. Some control how an event is mapped and correlated; others provide information about the event.

The following table lists additional event fields.

Field Description
dedupid Dynamically generated fingerprint that allows the system to perform de-duplication on repeating events that share similar characteristics.
component Free-form text field (maximum 255 characters) that allows additional context to be given to events (for example, the interface name for an interface threshold event).
eventClass Name of the event class into which this event has been created or mapped.
eventKey Free-form text field (maximum 128 characters) that allows another specificity key to be used to drive the de-duplication and auto-clearing correlation process.
eventClassKey Free-form text field (maximum 128 characters) that is used as the first step in mapping an unknown event into an event class.
eventGroup Free-form text field (maximum 64 characters) that can be used to group similar types of events. This is primarily an extension point for customization. Currently not used in a standard system.
stateChange Last time that any information about the event changed.
firstTime First time that the event occurred.
lastTime Most recent time that the event occurred.
count Number of occurrences of the event between the firstTime and lastTime.
prodState Production state of the device, updated when an event occurs. This value is not changed when a device's production state is changed; it always reflects the state when the event was received by the system.
agent Typically the name of the daemon that generated the event. For example, an SNMP threshold event will have zenperfsnmp as its agent.
DeviceClass Device class of the device that the event is related to.
Location Location of the device that the event is related to.
Systems Pipe-delimited list of systems that the device is contained within.
DeviceGroups Pipe-delimited list of systems that the device is contained within.
facility Only present on events coming from syslog. The syslog facility.
priority Only present on events coming from syslog. The syslog priority.
ntevid Only present on events coming from Windows event log. The NT Event ID.
ownerid Name of the user who acknowledged this event.
clearid Only present on events in the archive that were auto-cleared. The evid of the event that cleared this one.
DevicePriority Priority of the device that the event is related to.
eventClassMapping If this event was matched by one of the configured event class mappings, contains the name of that mapping rule.
monitor In a distributed setup, contains the name of the collector from which the event originated.