2 Replies Latest reply on Aug 8, 2017 12:40 PM by aharrison

    Correlation Time confusion


      Could someone give me a more detailed explanation of correlation time?


      I'd like to create a rule for a particular email notification.  The problem is that I only want to be notified on the first instance of this event, but when this particular problem pops up, it can sometimes start logging dozens of events per minute and I don't want to get notified over and over.


      What's the appropriate way to do this?






        • Re: Correlation Time confusion

          Okay, so the option to embed YouTube is gone...that's a new feature?


          At any rate, here's a video of me explaining a few methods to make a "fire once" rule:

          Solarwinds LEM - Make a rule fire once - YouTube


          Correlation Time is the purple box, and it has two values and a secret button.


          The first value is "X events in Y [time frame]" and is used to tell the LEM "This rule should only fire if the correlation conditions (the blue box) returns TRUE X times in Y [time]."  That way, you can have an alert that isn't just "a bad password" but "the third bad password in 5 minutes."


          The second value is "Response time" which is to say, "If the events that made the blue box TRUE and met the condition of X times in Y [time] are more than Z [time frame] old, don't bother firing the rule."  Say that you have an Agent installed on a laptop for a travelling user.  It's collecting events and caching them because they're at Holiday Inn and not connected to your network and LEM.  They struggle to type their password correctly after a six martini dinner with a client, and get it wrong a few times.  Days later, they get back on the network and LEM gets all the cached events.  Because those events are more than Z [time frame] old, the LEM does not fire the related rules.


          There is a little gear that lights up in the purple box anytime X is greater than 1, which allows you to specify things like "If the 3 bad passwords are all against the same account," or "If the TCP ports for those 10 events are all unique."


          Hope that helps!

          2 of 2 people found this helpful