I can make rules time-aware with "Time of Day Sets," and you'll find those under Build --> Groups. These allow you to make rules that only fire in certain time frames, or exclude time-frames. Like, if you know you're going to reboot machines every day at 2AM, maybe you make your "Agent/System Offline" rule inactive between 2 and 4.
However, there's not a way to make a rule fire at the same time every day that I am aware.
I know about time of day sets, this does not help. Basically I need a scheduled task to run on LEM daily.
Our issue is email alert overload. We want an alert is a machine tried to go to a bad address that we have a sinkhole setup for. Only if we setup the rule one pc could trigger from 1 to thousands of events, which would translate to thousands of emails.
A Work around would be to have an action to put the source pc into a user defined group, and exclude that group from the alerts. This would allow for one email to go out.
However I need another rule to the remove the pc from the group to reset the trigger. And there are no clear events for this, thus I want a rule to clear the group on a daily basis.
unless there is a way to write the rule to only trigger once within a set period.
Yeah, the best ToDs could do is trigger the rule ONLY for the configured window, which goes down to a 30 minute resolution. We have the idea to create a "threshold of 1" type rule with a time over threshold that could be broad enough, but it's not really surfaced in the way the console works today.
While I could think of a good way to only fire a rule once in a set hour using some other events, I can't think of how you'd tie that to clearing the group.
I think you have us stumped. I'll ask around for other ideas.
I went and bothered the devs, and the issue we'll have is that there always has to be some event to kick off the rule correlations. You could create a scheduled task on a system with the agent, and create the rule to fire when the event of that task running is detected. The challenge then will be that there is no "Purge User Defined Group" action, so somehow you'd have to pass every value of the UDG through the rules engine. I think manual reconciliation is the only route at the moment.