What is the correct syntax for a correlation rule script condition to count the number of alarms in a bucket with a certain severity?
Use case: I have 5 IRD elements receiving a carrier from the same transmitting antenna. I want to trigger the correlation rule (to switch to another antenna) if all IRDs that are not in timeout give a critical alarm on their lock state.
Was thinking of a script condition like this: count(severity(critical)) == 5 - count(severity(timeout)) but I'm stuck on syntax...
Jochen,
Here is how to tackle your use case:
- Configure the ALARM FILTER to only capture critical alarms from the lock state parameter and timeout alarms as well
- Configure 2 script conditions (combine them with an AND operator) :
- condition 1 : count(*)>=3
- condition 2 : max(field(severity)) == 1
- critical alarm => severity = 1 ( see slenumvalues table )
- timeout alarm => severity = 17 ( see slenumvalues table )
You can find more information about syntax and limitations on docs
UPDATE : my initial suggestion is not fully in line with what is requested.
That use case ( if I now fully understood it ) could be tackled by using 2 correlation rules:
1. First rule will generate 1 correlated alarm per IRD Element
- ALARM FILTER: IRD protocol / Critical on Lock Status/ Timeout
- ALARM GROUPING : group per Element
- Action : New Alarm (highest Severity of sources Alarms )
2. Second rule will only capture correlated alarms and make sure we have same amount of correlated alarms as number of IRDs, and that at least one alarm has max severity equals to critical
- Details: Accept Correlation Alarms
- ALARM FILTER : relevant filter to only accept correlation alarms generated by previous rule
- RULE CONDITION :
- count(*)>=3 ( if 3 IRDs)
- min(field(severity)) == 1
According to Docs, counting the number of alarms part of a bucket and in a specific state is not supported :
“When script conditions use functions, fields or properties outside the min/max/avg aggregated functions context, values will be retrieved from one of the alarms in the bucket only. This will typically be the triggering alarm or the most recent one in the rule bucket.”
I’ve suggested an alternative in my initial reply
The approach with the 2 correlation rules does the trick! Thanks a lot, that’s what I was searching for.
Not sure if the syntax allows it – but the exact logic required (if I understood correctly what Jochen needs) would be that the count of the timeout events summed with the count of the lock alert events matches the nbr of IRDs (in other words, if one of the IRDs has neither a time-out nor a lock alert, then the rule cannot fire off).