That works for some things, but some of the events come over where there's nothing in the "Component" field and thus the candlestick/mapping wizard refuses to add the rule.
The first word of the string is always the alert level (warning,debug,info,error,etc) I don't understand why its so difficult to preserve that. Zenoss seems to mangle the message in an unpredicable manner. If you look at the beginning of my post you can see that the first 6 words of the message do not show in the output and I'm having a hard time figuring out why.
I'm used to syslog servers such as Splunk where the messages just come through as they are and the severity is read from the beginning of the message.