2 Replies Latest reply on Jul 19, 2018 3:25 AM by Charles Kelley

    Cell rule question - How to manage multiple (non-duplicate) events matching some criteria within a specific time frame?

    Sam Truong
      Share This:

      Hi MRL-gurus,

       

      I have a customer who would like to better handle the following situation:

      They use the Harware KM and if for some reason, during the discovery, the instrumentation layer, let's say we use SNMP so it's the SNMP agent here, doesn't respond in a timely manner, or returns some unexpected data, the KM may then detect devices as missing and we may get several PATROL_EV events. Here are the important slots:

      p_class=11

      severity=CRITICAL

      mc_object_class contains 'MS_HW_'

      mc_parameter=Present

       

      The requirement here is to lower their severity, as they probably are false-positive events and we would need to trigger this rule, only and only if there are more than 5 events matching those criteria within a 5-min time frame. An important thing to notice is that those are NOT duplicates, so a threshold/regulate rule won't work. I have written this "new" rule, but it would trigger if the number of events >= 2:

       

      new FalseMissingEvents :

      PATROL_EV ($NEW)

      where [ $NEW.status outside [CLOSED,BLACKOUT] AND $NEW.p_class == 11 AND $NEW.mc_parameter == 'Present' AND $NEW.severity == CRITICAL ]

      updates PATROL_EV ($OLD)

      where [ $OLD.status outside [CLOSED,BLACKOUT] AND $OLD.severity == CRITICAL AND $OLD.mc_host == $NEW.mc_host AND $OLD.mc_object_class == $NEW.mc_object_class ]

      within 5 m

      {

      $NEW.severity = INFO;

      ntadd($NEW,'This seems to be a false Missing event and its severity has been lowered to INFO by a rule');

      $OLD.severity = INFO;

      ntadd($OLD,'This seems to be a false Missing event and its severity has been lowered to INFO by a rule');

       

      Any idea/suggestion would be welcome and thanks a million for your help!

       

        Sam.

        • 1. Re: Cell rule question - How to manage multiple (non-duplicate) events matching some criteria within a specific time frame?
          Lee Foster

          Sam, you would have to have two or more events that match the quoted criteria.  Else, there is nothing to update.  It's possible given the rule that the other events came in after five minutes so they wouldn't be looked at.

          1 of 1 people found this helpful
          • 2. Re: Cell rule question - How to manage multiple (non-duplicate) events matching some criteria within a specific time frame?
            Charles Kelley

            Hi Sam,

             

            Here's an idea:

             

            new FalseMissingEvents : PATROL_EV($NEW)

            where [ $NEW.status outside [CLOSED,BLACKOUT] AND $NEW.p_class == 11 AND $NEW.mc_parameter == 'Present' AND $NEW.severity == CRITICAL ]

            using ALL

            {

              PATROL_EV($OLD)

              where [ $OLD.status outside [CLOSED,BLACKOUT] AND $OLD.severity == CRITICAL AND $OLD.mc_host == $NEW.mc_host AND $OLD.mc_object_class == $NEW.mc_object_class AND $OLD.date_reception > $NEW.date_reception - 300 ]

            }

            triggers

            {

              add_to_list($OLD.mc_ueid, $NEW.mc_associations);

              if (listlen($NEW.mc_associations) = 4) then

              {

                 $NEW.severity=INFO;

                 $OLD.severity=INFO;

              };

            }

            END

             

            - check for events being within 5m is in the where clause of the using section

            - might use a unique LIST_OF slot (add your own) instead of mc_associations, to make sure nothing else affects the rule.  I just used this slot for a quick test.

            - test it for performance, I only did a simple test. (maybe it will be controlled by the 300 second range, otherwise it may be better to use a hashed index)

            - listlen check is set for 4, because the current event would be the 5th.

            - the adapt_param_status rule in mcxp.mrl should probably be taking care of these events anyways (closing old ones)

             

            Charles

            1 of 1 people found this helpful