Hi Dojo,
I'm trying to set up a correlation rule using a sliding window, so I'm expecting that as soon as there are enough occurrences in the interval, the rule will be triggered.
My rule is very simple: I filter for alarms that belong to only one element, and in the rule condition I defined that only warning alarms should trigger the rule, and this is immediately evaluated. Then I have my sliding window that requires at least 4 occurrences in 3 minutes for the rule to be triggered, which will generate a new alarm:
However, this is not working. For example, when I already have five warning alarms in the element, the correlated alarm is not created:
Looking into the correlation logs, it seems that the alarms are being added to the bucket but not counting as occurrences. I'm guessing this is because I don't have the trigger on single events, so the alarms go through the alarm filter (enter the bucket) but even though they match the rule condition, they don't seem to be evaluated by it.
Is this expected behavior? I ask this because if I use a trigger on single events, the rule works but if there are more occurrences than the defined ones, there will be another correlated alarm, which is grouping the alarms with the new one, which does not seem correct:
Is this expected behavior?
After some tests, I believe I have found the way to make this work.
To have the sliding window working without the creation of a new correlated alarm once the number of occurrences is higher than the defined one, the option Update base alarm needs to be enabled. So essentially, the following settings need to be enabled:
- Trigger on single events. Don’t maintain active tree status
- Immediate evaluation
- Configure the sliding window as desired
- In the action of the new alarm:
- Auto clear
- Update base alarms
