Hi Dojo,
we are working quite a lot with correlation rules. We know (more or less) our way to make the rules work, by starting the definition of rules at a very basic level when filtering for alarms, and from there on going deeper into the details, while continuously testing the rule during the implementation. So generally speaking the correlation engine is performing as expected and to our satisfaction.
However, what we experience is that the "Test rule" functionality often delivers no results, even when we just successfully tested the same rule with real alarms. We cannot see what might be the reason for that - any ideas?
Just yesterday we did just that: successfully testing a correlation rule by triggering it with real alarm events. Then, after bringing the system back to normal, clicking the "Test rule" button and applying the last week time window (there should have been multiple hits):
Any thoughts? What are we missing?
Hi Nils,
This seems to be caused by "Test rule" only testing the rule on the DMA you are connected to. An active correlation rule will however be processed by every DMA in the cluster.
This is not clear from the current state of the UI, and additionally makes it difficult to test correlation rules in a cluster. We created a task on our backlog to improve this.
Kind regards,
Xander
In case you enable the option 'Correlate across DMAs' (general section), do we have the same problem or is the 'Test rule' then working as expected?