Hello Dojo,
I have a question about the correlation rules.
For the example:
I have 50 items of a procotole X
In 2 weeks, I will have 100 elements of the same protocol
I want an alarm to be triggered as soon as 50% of the elements are in alarm
Currently, it works as follows in the "Rule Condition" part:
Is Script condition count(*)>=25
Is there a way to express my request in % in a correlation rule?
For example, 50% of X protocol elements in alarm = major alarm
Is this possible?
I've been to the documentation, and nothing is close to my problem.
Sincerely
You might want to have a look at Automatic Incident Tracking. See here, for a nice introduction video.
Unlike the correlation engine, this feature tries to automatically group your alarms according to what it thinks the current incidents in your system are, and as such it is much less configurable. However, you could add all elements on the given protocol to a view, and configure grouping on view with a threshold of 0.5. Then, it will group the alarms of the elements in that view whenever there are alarms on more than 50% of the elements in that view at approximately the same time. By default this threshold is configured at 25%.
To configure this, you will have the change the Analytics configuration file located at [Skyline DataMiner folder]\Analytics\configuration.xml. Under the section with '<Name>Automatic Incident Tracking</Name>', you will find a section with '<Name>ViewProperty</Name>. There you will have to change the <threshold> tag to 0.5. This section of view property will then look as follows
<item type="skyline::dataminer::analytics::workers::configuration::XMLConfigurationProperty<class std::shared_ptr<class skyline::dataminer::analytics::workers::configuration::StatisticalVisitorConfiguration> >">
<Value type="skyline::dataminer::analytics::workers::configuration::StatisticalVisitorConfiguration">
<enable>false</enable>
<threshold>0.5</threshold>
</Value>
<Accessibility>2</Accessibility>
<Name>ViewProperty</Name>
</item>
Alright, thanks for your response! I will take a look at this.