I have a correlation rule for iLO/iDRAC issues spanning across multiple sites. We have 8 DMAs in a cluster and each DMA is responsible for that site's elements. Each site has it's own correlation rules looking for alarms. All sites have the same rules, they're just looking at different views or elements.
On the correlation rule, I have the alarm filter section looking at a specific View (IS) (all that sites elements are under that root view) which then filters only elements using the (AND) iLO or (OR) iDRAC protocol. In the rule condition I'm looking for any (IS) critical severity.
The problem is when this correlation rule is triggered, it's being triggered at all 8 sites instead of just that one so all 8 locations get an email for that sites alarm. What looks to be happening is it's either ignoring or not correctly evaluating the Alarm Filter section. It's being triggered on the correct elements and alarms, I just don't understand why when it does get triggered, it's triggering on all 8 DMAs even though the other correlation rules are looking at different views.
Hi Jeff,
I think you have an error in the alarm filter logic and that's why the rule is being triggered in all the DMAs of the cluster for the iDRAC alarms.
You need to use the "AND (" operator and not the "AND".
In pseudo-code, what you have is:
if( (view == SOMEVIEW _and_ alarm == ILO) _or_ alarm == iDRAC ) ...
when you want this:
if( (view == SOMEVIEW _and_ (alarm == ILO _or_ alarm == iDRAC) ) ...
A final advice, you should move the Rule Condition up to the Alarm Filter, resulting in something like:
if( (view == SOMEVIEW _and_ (alarm == ILO _or_ alarm == iDRAC) _and_
severity == Critical ) ...
This will reduce the number of the internal alarm buckets created, thus improving the correlation engine performance.
Hope this helps.
>> if( (view == SOMEVIEW _and_ alarm == ILO) _or_ alarm == iDRAC )
Yeah, that would explain why it would pickup the iDRAC alarm but not in the correct view as well as it triggering all correlation rules to send emails.