7 Replies Latest reply on Mar 7, 2014 2:40 PM by nicole pauls

    Correlation time questions

    evanr

      I seem to be having some issues with understanding the correlation time in LEM's rule creation.  I have a rule set up to monitor when a certain event is logged in Windows application monitor.  You can see its set to trigger if 5 of those events occur within 60 seconds. 

      Capture.JPG

       

      However I seem to be getting an email alert whenever that event is seen even though I only need it to trigger when the event appears 5 times in the span of 60 seconds?  Is this not the correct setup for something like this?

        • Re: Correlation time questions
          nicole pauls

          If there are queued events still in memory, the new rule won't take effect until those events are pushed through, so it's possible they are just old events.

           

          Also possible there's two rules enabled doing the same thing - if you check out the InternalRuleFired event that comes through (or whatever else you've got set up) and see what rule it's referring to, make sure it's the one you're editing.

           

          Lastly, could be that the count hit 5 a while ago, and it's just still firing. You could try setting the re-infer/time over threshold in the advanced correlation and set the re-fire interval to something like 30 seconds, so it'll only fire once in 30 seconds if the condition persists.

           

          (Or, could be the logic, but I'd guess it's something less obvious. )

            • Re: Correlation time questions
              evanr

              It definitely could be.  Here is my rule.

               

              Capture.JPG

               

              I also set the following:

               

              Capture.JPG

               

              Not sure if I need the Modifier or not?

                • Re: Correlation time questions
                  curtisi

                  The advanced correlation you have there means that the 5 events that trigger the rule have to have the SAME value in the WarningMessage field.  You may want to make that something like ServiceWarning.DetectionIP so that the 5 events have to come from the SAME system to fire the rule, otherwise 5 different systems getting the same alert would fire this rule.

                    • Re: Correlation time questions
                      evanr

                      That's what I need to happen though.  The group of systems receive the same message.  So even if I receive the message only twice on one server and three times on another server.  I want the rule to fire.  Thanks for the explanation it is starting to sink in a bit more

                        • Re: Correlation time questions
                          curtisi

                          I notice that the rule includes an AnyAlert.ToolAlias.  Since all the other correlation fields are ServiceWarning, why not set this to ServiceWarning.ToolAlias?  The AnyAlert would cause a lot of memory utilization and might be causing false positives on the rule.