Hi everyone,
I’m trying to set up a correlation rule that triggers only when two specific alarms (from two different elements using different protocols) occur at the same time. Here’s a simplified version of my filter logic:
- Condition A:
Parameter description (by protocol) = InnotecISG/Production/10.0.2 Wind Speed MMBANDSeverity != Normal- Condition B:
Is Valuematches wildcard expression*RSSI*I expected to use an AND filter so that the correlation only fires when both conditions happen together. However, when I set it up this way, the correlation doesn’t seem to trigger at all. If I change it to OR, it does trigger—but I get false positives whenever only one condition is met.
I’m also having trouble grouping these two alarms, because they don’t share a common property. The only way that seemed possible was to match on the element name via a wildcard expression, but that doesn’t appear to be supported (or doesn’t work) in my environment. We’ve tested all available grouping methods, and so far the one using “keypoint” seems to work best—but it still doesn’t fully address the AND correlation issue.
My goal is to ensure that these alarms are correlated only when both conditions occur simultaneously (or within a short time window) across these two different elements/protocols. Has anyone dealt with a similar scenario? How did you configure your filters or correlation rule so that both conditions had to be true without missing events or generating false positives?
Any suggestions , or examples would be greatly appreciated!
Hi,
A possible option that could work in your use case is using script conditions. For example, see the following correlation rule example:
The script condition checks a value from a parameter (that represents a critical alarm). If the condition is true, the action defined in the correlation rule will be triggered.
Hope it helps.