How to correlate and group two alarms with an AND condition across different protocols?

236 viewsCorrelation rule
1
0 Comments

Hi everyone,

I’m trying to set up a correlation rule that triggers only when two specific alarms (from two different elements using different protocols) occur at the same time. Here’s a simplified version of my filter logic:

  1. Condition A: Parameter description (by protocol) = InnotecISG/Production/10.0.2 Wind Speed MMB AND Severity != Normal
  2. Condition B: Is Value matches wildcard expression *RSSI*

I expected to use an AND filter so that the correlation only fires when both conditions happen together. However, when I set it up this way, the correlation doesn’t seem to trigger at all. If I change it to OR, it does trigger—but I get false positives whenever only one condition is met.

I’m also having trouble grouping these two alarms, because they don’t share a common property. The only way that seemed possible was to match on the element name via a wildcard expression, but that doesn’t appear to be supported (or doesn’t work) in my environment. We’ve tested all available grouping methods, and so far the one using “keypoint” seems to work best—but it still doesn’t fully address the AND correlation issue.

My goal is to ensure that these alarms are correlated only when both conditions occur simultaneously (or within a short time window) across these two different elements/protocols. Has anyone dealt with a similar scenario? How did you configure your filters or correlation rule so that both conditions had to be true without missing events or generating false positives?

Any suggestions , or examples would be greatly appreciated!

Wouter Demuynck [SLC] [DevOps Advocate] Answered question 10th March 2025

2 Answers

0
5.81K 0 Comments

Hi,

Be aware that the filter in the "alarm filter" section always gets applied to one alarm event/tree at a time. It is used to select which alarm events will be considered for the correlation rule and cannot be used to define that different types of alarms need to be active together.

All alarm events that each match the alarm filter will be tracked for this rule. So the alarm filter is for collecting alarm trees only.

To define when to fire actual actions, the "rule condition" section comes into play. Typically it executes actions as soon as at least one alarm is being tracked by the rule, but conditions can be added to define when actions may be executed.

In your case, what would work is the following:

  • Alarm filter:
    • "Wind speed" alarm
    • OR
    • "RSSI alarm"
  • Condition:
    • Filter condition "Wind Speed"
    • AND
    • Filter condition "RSSI alarm"

This will cause the correlation rule to track all active "Wind Speed" and active "RSSI alarm" alarms in a bucket and then run correlation actions when there is at least one "Wind Speed" alarm in the bucket and at least one RSSI alarm.

Hope this helps

Wouter Demuynck [SLC] [DevOps Advocate] Answered question 10th March 2025
0
18.32K 1 Comment

Hi,

A possible option that could work in your use case is using script conditions. For example, see the following correlation rule example:

The script condition checks a value from a parameter (that represents a critical alarm). If the condition is true, the action defined in the correlation rule will be triggered.

Hope it helps.

A B M Sidddique [DevOps Advocate] Posted new comment 6th March 2025
A B M Sidddique [DevOps Advocate] commented

Hi Miguel , thank you for your response . Is this a known reason why the "And(" filter does not work in picking up alarms from elements that have different protocol assigned and not in the same view