Hi.. This is my first question on here so bear with me.
I have an alarm that I would like to correlate based upon expiry time. The Value field contains the time as it counts down. So...
- The initial alarm will come in as a standard minor alert. The expiry value will be 24 hours.
- The correlation rule will create a new alarm for this and when the count reaches 15 hours to expiry, the original alarm will get escalated to a Major alarm
- The next part of the correlation rule will perform the same function when the time reaches 8 hours to expiry and this part of the rule will escalate the alarm to a critical
I would like to contain this in one correlation rule if possible.
Any advice/workarounds/suggestions would be greatly appreciated.
Thank you
Hi.. Thanks for the reply..
Yes I am considering templates.. The actual original alert gets generated as a 60min expiry and as a major (which is no good). I was planning to use the alarm template to change it to a Minor initially and perform the rest with a correlation rule. With this in mind, what are your thoughts?
I think what Ive is trying to say is that you can apply hysteresis and multiple alarm severities for the same event and obtain the same result.
Hi Ken,
If the expiry time does not update over time, we might have to use correlation instead.
Please find below two example correlation rules that demonstrate the requested behavior.
Note that for testing purposes I've used a persistence of 10 seconds rather than 9 hours (24-15) and 7 hours (15 - 8).
In the first correlation rule, we apply an alarm filter, to make sure we only feed the expected alarm to our correlation rule, your filter will likely look different than the one I used in the example.
I've also ticked the 'trigger on single events' check box, to make sure every update of the alarm is re-evaluated.
In the rule condition, I define how much time we should wait between receiving the alarm and escalating the alarm. The persistence will be pre-defined and can't be chosen based on the expiry time present in the alarm.
The above rule will escalate a minor alarm to a major alarm.
A secondary rule will be required to escalate the alarm further, to a critical alarm.
Here we need to activate the "accept correlation alarms" check box.
Once this is checked, you need to further tweak your alarm filter with extra caution as we don't want to create an infinite loop where the generated alarms keep on triggering the correlation rule.
In the example below, I made sure only the major alarms for this specific parameter are fed into the correlation rule.
Thank you Ive..
Ill give this a go/mess around with it and let you know how it goes.. Much appreciated.
Hi Ive..
Yes after messing around with it.. It worked fine.. Thanks for the assistance , much appreciated.
That’s excellent news! Thanks for letting us know Ken.
Thanks.. This can be marked as solved.
Hi Ken,
The most straightforward approach would be to use the standard alarming functionality. Through your alarm template, you can define the expected severity for every value of the expiry time.
As the expiry time counts down, the alarm will automatically update each time a new limit is breached.
e.g.
While technically you could get the same result using correlation, it would be much more complex to set up and maintain, but would also put more load and stress on your system. On top of that, you would be unable to achieve this with a single correlation rule, but need 2 correlation rules (one for each severity increase).
Hi Thanks for that.. Interesting..
.
So .. Let me add my thoughts..
.
Firstly, the actual expiry time alarm (received into DM as a trap) is held within the ‘Supporting.Data’ field and is part of a sting (file name, expiry time and other details), So we cant use any time functions.
.
So, the reasoning behind correlation is more simple I think.
.
The Alarm arrives in Dataminer (as a Minor alert). After 8 hours, it will escalate (to the next level of severity). Then after another X hours is will escalate again to the next level of severity. Correlation can do that I believe.
.
Thanks
Hi Ken,
While this isn’t an answer to your question, I’d like to understand why you would like to do this through correlation. You could easily set the 24, 15, and 8 hours values in the alarm template under different severities to achieve the desired outcome.