I need to create a correlation rule that generates a correlated alarm within five mins when two alarm ID's are generated
I have a filter using Reg Ex .*(11111|22222).*). This will trap the alarms required. (i.e. when I use that filter in the alarm console, all alarms requeired are shown in the 5 minute time span)
11111 and 22222 represent the two alarm ID's. Alarm ID 11111 is generated once (or twice) but definitely always once and alarm ID 22222 is generated between 200 and 500 times in 5 mins.
The correlated alarm must generate only when both of these alarm IDs are generated together in the space of a 5 minute period (regardless of how many 22222 alarms are generated). I have tried several methods but the correlated alarm always seems to trigger with either or one of the alarms ID's but not both.
What would be the best approach for implementing this. The alarms are generated from different elements. We need to combine these properly so that the condition is captured. Sometimes, we get multilpe alarms from 22222 showing without alarm ID 11111. That is not what I want. The correlated alarm must generate when both of these alarms are generated only.
To note: Both alarms are generated from different elements but using the same protocol suite
Hi,
I believe we have the same need in one of our internal detection flows.
Below you can find an example of memory leak detection based on 2 param going in alarm for a specific protocol. (in this example it's the same protocol, but you can configure the protocols you need)
In the rule-condition you should be able to indicate the 5min persistent.
I hope this is of help.
Thanks @Mieke Ill mess around with this an let you know how it goes