Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 16

Question on "Correlation Time" in LEM Rules

I am trying to understand this section better.  I need to send an email for when I have "host flapping" on an interface.  Problem is, I need to alert on the first log (unique to device and port) but not the duplicates that will follow for at least an hour.

How in the world do I set that in the "Correlation Time" section?

I watch many video's but so far none talk about this section, they all say "This is an advanced feature not needed her"...


Labels (1)
0 Kudos
2 Replies
Product Manager
Product Manager

So, here's the unfortunate deal.... we haven't exposed a way to do a threshold of one, which is what you need.

You CAN do this:

2 in 10 seconds (alert when you see two of the same event in 10 seconds)

Advanced Threshold (little gears on the correlation time that become active when you add a threshold):

SAME <whatever> (interface, source, etc, you can add more than one field)

Re-Infer: 1 hour

Your Response Window will need to be 1 hour also so it can remember data for that long.

Correlation Time on the entire rule applies to EVERYTHING in the correlations box. You can also add a threshold for each grouping in the correlations box if you want to get more fancy.

Then, the "Advanced Threshold" box basically modifies your threshold by defining how to "count" your threshold (they need to come from the same IP, the same user, etc) and tells the threshold how often to check for "over threshold" again (your "wait an hour before telling me the shit is still hitting the fan" thing).

0 Kudos

This is an old thread, but I'm wondering why a way to do a threshold of one isn't available.  I'm not finding any info so far that explains it.  Is it a technical issue/performance issue prevention thing or just an interface limitation that the Re-Infer (TOT) option is in the advanced correlation window ?

Seems to me that feature would be very useful...

0 Kudos