Hi.. This is my first question on here so bear with me.
I have an alarm that I would like to correlate based upon expiry time. The Value field contains the time as it counts down. So...
- The initial alarm will come in as a standard minor alert. The expiry value will be 24 hours.
- The correlation rule will create a new alarm for this and when the count reaches 15 hours to expiry, the original alarm will get escalated to a Major alarm
- The next part of the correlation rule will perform the same function when the time reaches 8 hours to expiry and this part of the rule will escalate the alarm to a critical
I would like to contain this in one correlation rule if possible.
Any advice/workarounds/suggestions would be greatly appreciated.
Thank you
Hi.. Thanks for the reply..
Yes I am considering templates.. The actual original alert gets generated as a 60min expiry and as a major (which is no good). I was planning to use the alarm template to change it to a Minor initially and perform the rest with a correlation rule. With this in mind, what are your thoughts?
I think what Ive is trying to say is that you can apply hysteresis and multiple alarm severities for the same event and obtain the same result.
Hi Ken,
The most straightforward approach would be to use the standard alarming functionality. Through your alarm template, you can define the expected severity for every value of the expiry time.
As the expiry time counts down, the alarm will automatically update each time a new limit is breached.
e.g.
While technically you could get the same result using correlation, it would be much more complex to set up and maintain, but would also put more load and stress on your system. On top of that, you would be unable to achieve this with a single correlation rule, but need 2 correlation rules (one for each severity increase).
Hi Thanks for that.. Interesting..
.
So .. Let me add my thoughts..
.
Firstly, the actual expiry time alarm (received into DM as a trap) is held within the ‘Supporting.Data’ field and is part of a sting (file name, expiry time and other details), So we cant use any time functions.
.
So, the reasoning behind correlation is more simple I think.
.
The Alarm arrives in Dataminer (as a Minor alert). After 8 hours, it will escalate (to the next level of severity). Then after another X hours is will escalate again to the next level of severity. Correlation can do that I believe.
.
Thanks
Hi Ken,
While this isn’t an answer to your question, I’d like to understand why you would like to do this through correlation. You could easily set the 24, 15, and 8 hours values in the alarm template under different severities to achieve the desired outcome.