I need to create a correlation rule that generates a correlated alarm within five mins when two alarm ID's are generated
I have a filter using Reg Ex .*(11111|22222).*). This will trap the alarms required. (i.e. when I use that filter in the alarm console, all alarms requeired are shown in the 5 minute time span)
11111 and 22222 represent the two alarm ID's. Alarm ID 11111 is generated once (or twice) but definitely always once and alarm ID 22222 is generated between 200 and 500 times in 5 mins.
The correlated alarm must generate only when both of these alarm IDs are generated together in the space of a 5 minute period (regardless of how many 22222 alarms are generated). I have tried several methods but the correlated alarm always seems to trigger with either or one of the alarms ID's but not both.
What would be the best approach for implementing this. The alarms are generated from different elements. We need to combine these properly so that the condition is captured. Sometimes, we get multilpe alarms from 22222 showing without alarm ID 11111. That is not what I want. The correlated alarm must generate when both of these alarms are generated only.
To note: Both alarms are generated from different elements but using the same protocol suite
Hi Ken,
I looked into this use case a bit more and applying it on 2 different protocols.
What I wanted was only run the script (correlation action) when 2 alarms on different protocols were active.
To accomplish this I had to:
- Filter to focus on a set of alarms iso all alarms. In my use case this is on a custom alarm property "use case"
- Group the alarms by this property
- Condition on the rule to indicate when the action (run a script) must be executed. in my use case 2 alarms must be active.