Correlation rule based on alarm description text

97 viewsalarm correlation Correlation Correlation rule
3
0 Comments

I’m trying to build a correlation rule where two alarms need to be active at the same time in order to generate a new Critical alarm.

The alarms come from a table, and in the Alarm description I get entries like “... #2 R ...” and “... #2 L ...”.
The idea is:

If only “2 R” or only “2 L” arrives → no correlation.

If both “2 R” and “2 L” are active → correlate them and raise a new Critical alarm.

I configured the rule with two conditions under an AND (one matching *2 R*, the other *2 L*), but it doesn’t seem to trigger.

What is the correct way to configure correlation in this case?

Thank you in advance for your help!

Wouter Demuynck [SLC] [DevOps Advocate] Answered question 5 days ago

1 Answer

2
6.20K 2 Comments

Hi Daniel,

You are almost there. Judging from the screenshots, I believe you should filter on "Parameter description (by element)" instead of on "Alarm description"

Don't worry about the "(by element)" part of that name. If you use "Matches wildcard expression" there is no need to select a specific element.

Hope this helps!

Wouter Demuynck [SLC] [DevOps Advocate] Posted new comment 4 days ago
Daniel Silva [DevOps Advocate] commented

Hi Wouter, thanks for the reply — you were right, I was indeed using Alarm description incorrectly.

I tried your suggestion with "Parameter description (by element)" in two different ways, but neither worked. Before attempting to correlate “2 R” and “2 L” together, I first tested capturing only the alarm that arrives with “2 R”.

The value shown in the Source column on the element’s Active Alarms page looks like this:
Silence Detector: New Silence Detector #2 R-Channel

Based on that, I tested the following correlation rule configurations:

Is Filter condition Is Parameter description (by element) Equal to Dummy01 Active Alarms: Source (*)
And Value Matches wildcard expression *2 R*

and

Is Filter condition Is Parameter description (by element) Equal to Dummy01 Active Alarms: Source (*2 R*)

In both cases the rule didn’t trigger (no Critical alarm was generated). What could I be doing wrong?
Wouter Demuynck [SLC] [DevOps Advocate] commented

Hi Daniel,

Not knowing the actual details of your alarm, my guess is that something is still not right in the alarm filter.

My suggestion here: Instead of experimenting directly in the correlation rule definition, it might help to experiment with the alarm filters in the Cube alarm console first, to see if the filter matches with the alarms you want.

To do this, add a new tab to the alarm console (+) and choose "Show current" > "Apply filters…". From there, you can create the same type of filer as used by the Correlation engine and then verify if the filtered alarm events correspond with what you expected. It's easier to experiment and validate the filter in this way than to set up a correlation rule. You can edit the filter configuration multiple times and verify the outcome. Start with simple filters and then extend once those work.

Hope this helps!
You are viewing 1 out of 1 answers, click here to view all answers.