Hi.. I have question relating to combining filters in a correlation rule to pruduce one alarm.
- A device generates two alarms at approximately the same time. These alarms are identified by their event ID's 34003 and 32001
- I want to generate a correlated alarm which triggers upon these two alarms arriving together. They arrive within 10 seconds of each other but are related (if you get a 34003, 10 secs later you may a 32001 alarm for the device).
- I dont want the correlated alarm to trigger individually on these alarms but trigger when these two alarms arrive within 10 secs of each other. so combining the alarm conditions into one correlated alarm.
Thanks
Hi Ken,
You should be able to achieve this by expanding the rule condition.
Next to the script condition, you can also add a filter.
In the example below, I've enhanced the filter, so that there needs to be an alarm that has a property value 1 and a different alarm that has a property value 2.
Hi Ken,
Please find below a screenshot of a correlation rule that does exactly that.
I've added some annotation to show what every part of the rule does.
Please don't hesitate to reach out if you'd need more details on any of the configurations.
You can find some more information through this link:
https://docs.dataminer.services/user-guide/Advanced_Modules/Correlation/Correlation_rule_syntax.html
Hi Ive..
OK So what I have found is that this works fine but does not combine the two alarms together as 1. It counts the number of all of them.
See below examples pic:-
Below are the actual alarms
Below is the rule
So what I want is to also test for the existance of these alarms appearing together. If alarm ID 34003 gets generated, sometimes alarm ID 32001 will generate.. So its that very condition I wish to correlate. Using the above rule, I get all instances of 34003 within 10 secs..
Thanks Ive.. Do you have access to any of these scripting documentation???