2 Replies Latest reply on Mar 3, 2015 12:51 PM by nicole pauls

    Can LEM correlate events based on time not in use?

    rschnitz

      Example: Service A on the monitored server "Stops" at 9:00 AM. I should start at 10:00 AM, but doesn't start at all.  My administrator want to be notified via email that Service A did not start.  Any idas?

        • Re: Can LEM correlate events based on time not in use?
          curtisi

          First, I think it would probably be easier to send an alert to the admin when the service stops, and have the LEM try to restart it immediately.

          Second, the LEM works by responding to events and logs.  There are no events or logs for "something didn't happen," since that would lead to some weird logs:

           

          1424788635000 172.0.16.66 ASA-8-2715685 The Universe did not convert to something made entirely of lasagna in this second.

          1424788635000 172.0.16.66 ASA-8-2715686 You did not turn into a giant lizard in this second.

          1424788635000 172.0.16.66 ASA-8-2715687 The word for 'Tuesday' was not removed from your language in this second.

          1424788635000 172.0.16.66 ASA-8-2715688 A hamster did not appear in Sandra's lunch in this second.

          etc.


          However, the LEM can try and look for the absence of events.  Maybe something like this?  This rule required you to define a Time of Day Set for your 10:00 AM window.


          2015-02-24 07_44_49-SolarWinds Log & Event Manager.png

          Edit: I went and talked to one of my engineers, and while the LEM can handle certain "NOT" events, it needs something to occur to "start the clock" for watching for the NOT event, so this rule probably won't work.  It'd be best to just have the LEM respond to the initial stop message immediately.