Hi.. I have question relating to combining filters in a correlation rule to pruduce one alarm.
- A device generates two alarms at approximately the same time. These alarms are identified by their event ID's 34003 and 32001
- I want to generate a correlated alarm which triggers upon these two alarms arriving together. They arrive within 10 seconds of each other but are related (if you get a 34003, 10 secs later you may a 32001 alarm for the device).
- I dont want the correlated alarm to trigger individually on these alarms but trigger when these two alarms arrive within 10 secs of each other. so combining the alarm conditions into one correlated alarm.
Thanks
Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 11th July 2023
Hi Ken,
You should be able to achieve this by expanding the rule condition.
Next to the script condition, you can also add a filter.
In the example below, I've enhanced the filter, so that there needs to be an alarm that has a property value 1 and a different alarm that has a property value 2.
Marieke Goethals [SLC] [DevOps Catalyst] Selected answer as best 11th July 2023