Hi.. I have question relating to combining filters in a correlation rule to pruduce one alarm.
- A device generates two alarms at approximately the same time. These alarms are identified by their event ID's 34003 and 32001
- I want to generate a correlated alarm which triggers upon these two alarms arriving together. They arrive within 10 seconds of each other but are related (if you get a 34003, 10 secs later you may a 32001 alarm for the device).
- I dont want the correlated alarm to trigger individually on these alarms but trigger when these two alarms arrive within 10 secs of each other. so combining the alarm conditions into one correlated alarm.
Thanks
Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 11th July 2023
Hi Ive..
OK So what I have found is that this works fine but does not combine the two alarms together as 1. It counts the number of all of them.
See below examples pic:-
Below are the actual alarms
Below is the rule
So what I want is to also test for the existance of these alarms appearing together. If alarm ID 34003 gets generated, sometimes alarm ID 32001 will generate.. So its that very condition I wish to correlate. Using the above rule, I get all instances of 34003 within 10 secs..
Ken O'Connor [DevOps Advocate] Answered question 24th May 2022