Hello Dojo Community !,
We're currently evaluating our correlation rule performance for a sample system, specifically focusing on aggregating alarms for a specific site through DataMiner.
Could you clarify the difference between the "Source" and "SourceID" of an alarm? We're wondering if the transformation "LocalDB/Source = Correlation Engine" always corresponds to "OffloadDB/SourceID = 23" when offloading alarm data.
In a recent scenario, we found only 3 "correlated" alarms with "Source = Correlation Engine" in the alarm console for a given day. However, querying offloaded data for the same site and day showed 583 alarm events with "SourceID = 23."
We'd appreciate any insights to understand this, and if the transformation holds true during data migration from local Cassandra to the SQL offload database.
Hi,
'Source' and 'SourceID' are indeed the same thing. The first one is the human readable text field, the second one is the internal ID to efficiently store this in a database.
When 'Source' contains 'Correlation Engine', 'SourceID' will indeed contain 23. And in the database, you will only find the ID field, so that the storage is efficient.
More info and documentation about this, can be found here: Structure of the offload database | DataMiner Docs
Screenshot of the SourceID field:
Now the question is why you have a different number of alarms locally compared to the offload DB. I'm wondering if by any chance you are maybe counting the alarms locally as one per lifecycle, and in the offload you are counting each alarm update separately?
Each time an alarm gets an update, a new record is created with a link to the parent, so in the DB you could have e.g. 10 records for one alarm. When looking at alarms in the alarm console, updates of alarms might be hidden in the expandable lifecycle of the alarm, and you only see one record initially in the UI or in the counters of the footer...
Bert
Thank you for the answer !