2 Replies Latest reply on Feb 25, 2010 9:19 AM by Duke

    Filter "Flag/Counter - Timeout" .... not working properly!!

      Hi,

      I am using a registered Kiwi syslog server (v8.3.4) over Windows XP, and I am having an issue with a Timeout filter.

      These are the two involved rules:

      "R004-RuleName=Start-OK-Parser-Online-08
      R004-RuleInfo=04031
      R004-F001-L01=060204000011111
      R004-F001-L02=Message text-Complex
      R004-F001-L03=<QUOTE>PRODUCTION<QUOTE>
      R004-F001-L04=<QUOTE>FHPO001<QUOTE>
      R004-F001-L05=<NONE>
      R004-F001-L06=<NONE>
      R004-F002-L01=060204000011111
      R004-F002-L02=Message text-Complex
      R004-F002-L03=<QUOTE>FH_XMEF<QUOTE> <QUOTE>FH_XMRV<QUOTE> <QUOTE>FH_XSEQC<QUOTE> <QUOTE>FH_XSFI<QUOTE> <QUOTE>FH_XSWR<QUOTE>
      R004-F002-L04=<QUOTE>CONNECTED to READY<QUOTE>
      R004-F002-L05=<NONE>
      R004-F002-L06=<NONE>
      R004-F003-L01=030705000000001
      R004-F003-L02=Time of day-Time of day
      R004-F003-L03="Everyday from 8:00 to 8:15"
      R004-F004-L01=050906000000001
      R004-F004-L02=Flags/Counters-Threshold
      R004-F004-L03=6
      R004-F004-L04=180
      R004-F004-L05=0
      R004-A001-L01=12061

      R004-A001-L02=E-mail messageR004-A001-L03=mail@mail.com

      R004-A001-L04=OK !!!

      R004-A001-L07=200
      R004-A001-L08=65535
      R004-A001-L09=0
      R004-A001-L10=0
      R004-A001-L11=0
      R004-A001-L12=0
      R004-A002-L01=06041
      R004-A002-L02=Play a sound
      R004-A002-L03=1
      R004-A002-L04=\log\sounds\parser_online_ok.wav
      R004-A002-L05=0
      R004-A002-L06=5
      R004-A003-L01=02111
      R004-A003-L02=Stop processing message
      "

       

      This rule is monitoring six proccess at the begin of the day. If the event occurs 6 times in 3 minutes, it means that all 6 process are allready start, so ... send me an e-mail.

      At this moment, the rule is working fine.

       

      The issue is with the "opposite". I would like to receive an alarm, if one of this 6 process is not online between 8:00 and 8:15.

      This is the rule for this meaning:

      "R005-RuleName=Start-ER-Parser-Online-08
      R005-RuleInfo=04021
      R005-F001-L01=060204000011111
      R005-F001-L02=Message text-Complex
      R005-F001-L03=<QUOTE>PRODUCTION<QUOTE>
      R005-F001-L04=<QUOTE>FHPO001<QUOTE>
      R005-F001-L05=<NONE>
      R005-F001-L06=<NONE>
      R005-F002-L01=060204000011111
      R005-F002-L02=Message text-Complex
      R005-F002-L03=<QUOTE>FH_XMEF<QUOTE> <QUOTE>FH_XMRV<QUOTE> <QUOTE>FH_XSEQC<QUOTE> <QUOTE>FH_XSFI<QUOTE> <QUOTE>FH_XSWR<QUOTE>
      R005-F002-L04=<QUOTE>CONNECTED to READY<QUOTE>
      R005-F002-L05=<NONE>
      R005-F002-L06=<NONE>
      R005-F003-L01=041006000000001
      R005-F003-L02=Flags/Counters-Timeout
      R005-F003-L03=6
      R005-F003-L04=14
      R005-F004-L01=030705000000001
      R005-F004-L02=Time of day-Time of day
      R005-F004-L03="everyday from 8:00 to 8:15"
      R005-A001-L01=12061
      R005-A001-L02=E-mail message
      R005-A001-L03=email@email.com
      R005-A001-L04=NO OK !!!!
      R005-A001-L05=email2@email.com
      R005-A001-L06=NO OK !!!!
      R005-A001-L07=200
      R005-A001-L08=65535
      R005-A001-L09=0
      R005-A001-L10=0
      R005-A001-L11=0
      R005-A001-L12=0
      R005-A002-L01=02111
      R005-A002-L02=Stop processing message"

       

      This rule will triggered, if doesn't occur 6 times in 14 minutes from 8:00 to 8:15

      The result, is that everyday ... received one email with the confirmation of the Rule #4 ... and two or three emails with the "Non Ok" of the Rule #5,

       

      So the rule #4 is triggering one time per day (Wich is perfect) ... but, rule #5 is triggering 2 or 3 times per day ... 

      ???

       

      This issue is freaking me out. Please, Could anybody tell me what am I misunderstanding with the Timeout filter?

       

      Thank you in advance.

        • Re: Filter "Flag/Counter - Timeout" .... not working properly!!
          Kuz

          Hi Duke,

          Try reversing the order of “Flags/Counters-Timeout” and “Time of day-Time of day”

          Filters are evaluated in order from the top-most filter down.

          I think you need to constrain the Timeout filter to evaluate only when the Time-of-day is between 8 and 8:15 (and not the other way around).

            • Re: Filter "Flag/Counter - Timeout" .... not working properly!!

              Hi Kuz,

               

              First of all, thank you for your answer. It was very usefull.

               

              Now, I'm understanding what Kiwi Syslog server does with the "Flag/Counter" ... or i think so, ... and i'm still needing of help.

              :)

               

              Let me try with an example:

              I have a rule, that filters a message.

              This rule has a "Time-of-day" filter, between 8:00 AM and 8:15 AM, and a "Flag/Counter" filter, that fires if the rule doesn't became true 1 time in 15 minutes.

               

              If I setup the rule, and I press "Apply" at 6:35 in the morning ... as a result, the system starts the 15 minutes countdown at 6:35 AM ...

              6:35 AM: Start the countdown

              6:50 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

              7:05 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

              7:20 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE

              7:35 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

              7:50 AM: The countdown expires ... but time is not between 8:00 and 8:15 AM ... so, the rule is FALSE.

              8:05 AM: The countdown expires ... the time is between 8:00 and 8:15 AM ... so, the rule is TRUE and fires!!!

               

              BUT, this is not what I am looking for.

              I would like to check, if the message doesn't appears between 8:00 and 8:15. I need that the counter starts at 8:00, and it stops at 8:15.  If the rule fires at 8:05, or depending when I applied in the past ... every day will fire at diferent hour, ...so, the fire will be completely unuseful.

              I tried inverting the order of "Time-of-Day" and "Flag/Counter" filters ... but the results are the same. Still depending of when i pushed the "Apply" button.

               

              There is any way, to reset the counter ... at a specific time of day ????

              If I could reset the counter at 8:00 ... the rule will works perfect !

               

              Thanks in advance, and sorry for my english.

              Regards.