This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM Rule Correlations – Group vs. Individual

All,

 

I am starting to create rules for events and I would like to be as efficient as possible.  I noticed it is possible to create a LEM Rule with a Group Correlations.  However, I am not sure of the differences between creating a LEM Rule with a Group or an Individual correlation.  I read a post by curtisi which mentions creating a Group reduces the resource requirements.

 

 

  1. Does a LEM Rule with a Group Correlation mean “match all conditions” before the action is taken?

 

Any assistance would greatly be appreciated.

 

 

T.J.

pastedImage_1.png

 

  • It depends on the color of the bar on the right of the group box.

    Blue with a triangle means AND and all conditions have to be matched to return true.

    2015-02-26 09_05_19-SolarWinds Log & Event Manager.png

    Orange with a semi-circle means OR and any condition matched will return true.

    2015-02-26 09_06_19-SolarWinds Log & Event Manager.png

    You can toggle them by clicking the shape (triangle or semi-circle).

  • Curtis,

    Thanks for the quick reply!

    In the example I have pasted above, it does not matter if nodes are listed in a Group or Individually. Because both have the OR statement. Correct?

    Does placing nodes in a Group help reduce resource usage when a nDepth search is performed?

    T.J.

  • In your example, the group isn't doing anything.  The LEM rules engine actually does a lot of stuff in the background to simplify convoluted rules, so both examples are probably actually working identically in the background, so it's just cosmetic.

    If you're going to have a lot of IPs that you're looking at, it will probably be easier to create a User Defined Group with the IPs and then us that in the rule instead of a line per IP.

  • Curtis,

    Thanks again for the quick reply.

    T.J.