I have a customer who would like to better handle the following situation:
They use the Harware KM and if for some reason, during the discovery, the instrumentation layer, let's say we use SNMP so it's the SNMP agent here, doesn't respond in a timely manner, or returns some unexpected data, the KM may then detect devices as missing and we may get several PATROL_EV events. Here are the important slots:
mc_object_class contains 'MS_HW_'
The requirement here is to lower their severity, as they probably are false-positive events and we would need to trigger this rule, only and only if there are more than 5 events matching those criteria within a 5-min time frame. An important thing to notice is that those are NOT duplicates, so a threshold/regulate rule won't work. I have written this "new" rule, but it would trigger if the number of events >= 2:
new FalseMissingEvents :
where [ $NEW.status outside [CLOSED,BLACKOUT] AND $NEW.p_class == 11 AND $NEW.mc_parameter == 'Present' AND $NEW.severity == CRITICAL ]
updates PATROL_EV ($OLD)
where [ $OLD.status outside [CLOSED,BLACKOUT] AND $OLD.severity == CRITICAL AND $OLD.mc_host == $NEW.mc_host AND $OLD.mc_object_class == $NEW.mc_object_class ]
within 5 m
$NEW.severity = INFO;
ntadd($NEW,'This seems to be a false Missing event and its severity has been lowered to INFO by a rule');
$OLD.severity = INFO;
ntadd($OLD,'This seems to be a false Missing event and its severity has been lowered to INFO by a rule');
Any idea/suggestion would be welcome and thanks a million for your help!