Question

Solved585 views7th June 2024Correlation

0

Robert Thevis [DevOps Enabler]154 5th June 2024 2 Comments

Hello everyone,

in a correlation rule we have the option to only have the correlation trigger if a situation occured a minimum of x times in a timespan.

Is there also a way to set a correlation rule that will only trigger once until the alarm has been cleared for a timespan? Basically a maximum number of events in a given timespan.

In this case we have an SMS alert triggered by multiple correlation rules (one for each user, to be enabled depending on who is on standby) and we have alarms that are not constant, which is normal for these particular alarms, but setting a hysteresis is also not an option. This results in multiple SMS being send for the same reoccuring alarms, while one would have been enough.

Is there a way to solve this?

Best Regards,

Robert

Wouter Demuynck [SLC] [DevOps Advocate] Answered question 6th June 2024

Alberto De Luca [DevOps Enabler] commented 5th June 2024

Have you tested if you get different behaviour by checking/unchecking the option “Update Base Alarms”?

Ref the “MAX” not sure – subscribing to get insight from others too – there’s an option to limit the base alarms (after the correlation actions) – but haven’t played much with it yet

Another option might be to “Accept Correlation Alarms” in the rule and add the SMS notification only in the re-correlation of correlation alarms.

Robert Thevis commented 6th June 2024

Hello Alberto, we tried to limit the base alarms with the result that the correlation would still trigger with the information “no base alarms”. So that did not work either. I am not sure if adding another correlation would help if the base alarms will get completly cleared and with them the correlated alarms, but the period in which we want to “mute” the sms is longer.

1 Answer

Have you tested if you get different behaviour by checking/unchecking the option “Update Base Alarms”?

Ref the “MAX” not sure – subscribing to get insight from others too – there’s an option to limit the base alarms (after the correlation actions) – but haven’t played much with it yet

Another option might be to “Accept Correlation Alarms” in the rule and add the SMS notification only in the re-correlation of correlation alarms.
Hello Alberto, we tried to limit the base alarms with the result that the correlation would still trigger with the information “no base alarms”. So that did not work either. I am not sure if adding another correlation would help if the base alarms will get completly cleared and with them the correlated alarms, but the period in which we want to “mute” the sms is longer.

score 2 · Answer 1 · 2024-06-06T14:37:28+00:00

Hi Robert,

I don’t believe this is possible out of the box. Once the alarm clears, the correlation engine forgets everything about it and once it appears again as a new occurrence event it is seen as something new.

One possible workaround could be to trigger an automation script from the correlation rule instead of sending an SMS from correlation, and then implementing extra logic in that script to only send the SMS when required. e.g. the script could keep an in-memory (or persisted) state of recent occurrences for the same event and decide on whether to send an SMS or not based on that.

Hope this helps

Correlation: Maximum number of events in a timespan

1 Answer