5 Replies Latest reply on Jan 20, 2020 2:04 PM by Brendan Murray

    Event closed by ?

    Sandeep Patwardhan
      Share This:

      Hi All,

       

      I am new to TrueSight products. I am looking for a data which will show in a field on Operation console who closed the Event?

      Is there a way to know this information in console?

        • 1. Re: Event closed by ?
          Brendan Murray

          Hi Sandeep,

           

          Yes, there is a way to see who closed the event. It is recorded in the Event History, which can be viewed from the Event View->Event Details page. Click on the Logs & Notes tab and you will see the event history at the bottom of the page. In the screen shot below (click on the screen shot to see it at full size), the event was closed manually by the admin user. The Source column in the event history table is where the name of the user is recorded. The log also records the date and time the event was closed and how it was closed. OVERRIDE_CLOSED indicates the event was closed manually on the console.

           

          TSOM Event Details Logs & Notes.png

           

          Regards,

           

          Brendan

          • 2. Re: Event closed by ?
            Sandeep Patwardhan

            Thanks Brendan for the reply.

            Here is what I see in my system.

            Also in last modifier I always see "PPM"

            • 3. Re: Event closed by ?
              Brendan Murray

              Hi Sandeep,

               

              This indicates that there is an MRL rule called Host_Nagios_Repeat_Alert_Count in a file called Repeat_count_autoclose.mrl that is closing your events. This is not one of the standard out-of-the-box rules, so I don't know what it's doing. If you can find the rule and post it to this thread, I should be able to tell you what it's doing.

               

              The last modifier shows as "PPM" because the event is being modified by a TSIM rule, not a user.

               

              The MRL rules can be found on the TSIM server in installationDirectory/pw/server/etc/<cell name>/kb/rules, where <cell name> is the name of your TSIM cell. By default, it is usually pncell_<hostname>, where <hostname> is the host name of the TSIM server. That is only the default, though. Yours may not follow this format.

               

              Regards,

               

              Brendan

              • 4. Re: Event closed by ?
                Sandeep Patwardhan

                Hi Brendan,

                 

                That rule takes out all the duplicate rules generated at the same time as original and adds them in a field for counting the repeats.

                Most of the events listed in console are auto-closed by the system. If I close an event by myself I don't see my name anywhere and that is what I was looking for.

                • 5. Re: Event closed by ?
                  Brendan Murray

                  Hi Sandeep,

                   

                  It is always better to have events closed automatically so it's good to know that most of your events are auto-closed by the system. Whether the event is auto-closed or closed manually from the console, the fact that it has been closed should be recorded in the Event History log in Logs & Notes. The screen shot in my initial response is what should happen when the event is closed manually in the console. For events that are auto-closed by the TSIM Analytics Engine (a.k.a. Rate), you should always see an entry like this:

                   

                  TSOM Event Details Logs &amp; Notes (Rate Closed).png

                   

                  RATE_CLOSED indicates that the event was auto-closed by the TSIM Analytics Engine.

                   

                  If you are not seeing these log entries, either for auto-closed or manually-closed events, I recommend you open a case with BMC Customer Support. You should be seeing these entries in the Logs & Notes.

                   

                  Regards,

                   

                  Brendan