Correlation – Sliding Window behavior

64 viewsCorrelation sliding window
2
0 Comments

Hi Dojo,

I'm trying to set up a correlation rule using a sliding window, so I'm expecting that as soon as there are enough occurrences in the interval, the rule will be triggered.

My rule is very simple: I filter for alarms that belong to only one element, and in the rule condition I defined that only warning alarms should trigger the rule, and this is immediately evaluated. Then I have my sliding window that requires at least 4 occurrences in 3 minutes for the rule to be triggered, which will generate a new alarm:

However, this is not working. For example, when I already have five warning alarms in the element, the correlated alarm is not created:

Looking into the correlation logs, it seems that the alarms are being added to the bucket but not counting as occurrences. I'm guessing this is because I don't have the trigger on single events, so the alarms go through the alarm filter (enter the bucket) but even though they match the rule condition, they don't seem to be evaluated by it.

Is this expected behavior? I ask this because if I use a trigger on single events, the rule works but if there are more occurrences than the defined ones, there will be another correlated alarm, which is grouping the alarms with the new one, which does not seem correct:

Is this expected behavior?

Miguel Obregon [SLC] [DevOps Catalyst] Answered question 2 days ago

1 Answer

0
19.90K 1 Comment

Hi Catarina,

Having a look at DataMiner Docs, I found the following note:

If, for instance, you want to create a rule that is triggered if a certain number of alarms occur within a sliding window, you must also select the option Trigger on single events. Don’t maintain active tree status in the Alarm filter section.

Can you try enabling this option and validate if the correlation rule is triggered?

Hope it helps.

Catarina Grilo [SLC] [DevOps Enabler] Posted new comment 2 days ago
Catarina Grilo [SLC] [DevOps Enabler] commented

Hi Miguel,
Thank you for your answer. However, as I mentioned in my question, when I enable "trigger on single events", the rule does get triggered correctly, but if the number of occurrences exceeds the one defined in the sliding window, a new correlated alarm is created. This new correlated alarm ends up grouping the new occurrence along with the previously correlated ones, which results in what appears to be "duplicate correlated alarms". You can refer to the last screenshot I included in my original message for a clear example of this behavior.