6 Replies Latest reply on Aug 20, 2020 4:02 AM by Alexandru Florea

    Correlation Policy

    Alexandru Florea
      Share This:



      I am having trouble creating a Correlation Policy for 2 severs that work as a cluster.

           Using TSIM Admin Console 11.3.02


      We have a simple Even Collector which takes all events that don't have Severity = Information and hostname start with :ServerClusterApp

      Therefore it will collect all events that come from ServerClusterApp1 and ServerClusterApp2.


      Moving on to creating a Correlation Policy on this collector:

      Event Cause 1: Host = ServerClusterApp1, Object Class = CustomKM1, Object = x, Metric = y

      Event Cause 2: Host = ServerClusterApp2, Object Class = CustomKM1, Object = x, Metric = y


      Because we have 10 instances on each server, 5 will always be turned on and 5 will be passive having 0 activity until the load balancer kicks in.

      What I want is this correlation policy to capture when the same event type takes place on both servers. Specially when the value of activity reaches 0.


      The normal events are generated and the Custom KM is working fine. I also tried this exact case on simpler default parameters like %FS Utilized.  Yet I can't see anywhere the Effect event being generated.


      Any ideas what am I not doing right?

        • 1. Re: Correlation Policy
          Brendan Murray

          Hi Alexandru,


          Were you able to solve this problem? If not, can you clarify your question? You say you don't see an effect event being generated. Correlation policies don't generate effect events. They link effect events to cause events. Both the cause events and the effect event have to already exist for the policy to work.


          The requirement you describe sounds more like abstraction than correlation. Abstraction is when several similar events occur that, collectively, indicate there is some underlying problem. Abstraction generates an "abstract event" that describes this underlying problem and links the "abstracted events" to it. Unfortunately, abstraction requires writing an MRL rule. There is no policy type for abstraction.


          I would have to see screen shots of your correlation policy in order to provide any further help. If you have solved your problem, it would be very helpful to others if you updated this post with the details of your solution.





          • 2. Re: Correlation Policy
            Alexandru Florea

            Hi Murray,


            Thank you for taking an interest in my issue. I have to say that I am quite surprised learning from you that there isn't an effect event generated from scratch. From the online documentation it isn't 100% clear for a new user how the event is corelated. Link :  Creating a new correlation policy - Documentation for BMC TrueSight Infrastructure Management 11.3 - BMC Documentation 

            " A correlation policy relates one or more cause events to an effect event. You have the option of configuring this policy to close the effect event. The cell maintains the association between these cause-and-effect events. "


            Going back to our issue and treating it as a "linking policy":

                 At some point during my tests I have set a correlation policy between 2 server nodes. They balance the FileSystems from one to another and I wanted to see " a 3rd event generated when both FileSystems were unmounted "


            The rule was like this:

                 Cause Event 1 => Hostname=Server1, Object=FS1, Metric Value=2

                 Cause Event 2 => Hostname=Server2, Object=FS1, Metric Value=2


            Both events were generated and their Priority parameter changed acording to the Correlation Policy as Cause Events.

            But what surprised me was that the Effect event was a completely different event, A memory % utilization event which was escalated to highest priority. And I  could see in the Log and Notes tab the details of escalation.



            But leaving this whole issue completely aside now, since our institution doesn't make use of this functionality. And we really just want a 3rd event alerted on email as you described above, is there a MRL tutorial on how to create and install those configurations?

            • 3. Re: Correlation Policy
              Brendan Murray

              Hi Alexandru,


              The important word in the section you quote above is "relates". That's what correlation policies are designed to do. They relate, or link, effects to causes. In event management, effect events are "noise". They are symptoms of an underlying problem. They are not the problem itself. Correlation policies are designed to suppress these noise events and link them to their underlying cause. Generating effect events is the opposite of what you want an event management system to do. You want to suppress effect events and focus on their cause. Correlation policies do this, while maintaining a link between cause and effects.


              For example, if you have several application servers generating "Unable to connect to the database" events and your database monitoring has generated an event "Database server XYZ is stopped", a correlation policy could close the "Unable to connect the database" events and link them to the "Database server XYZ is stopped" event, allowing your NOC staff to focus on the root cause, which is that the database server is stopped.


              I continue to believe that your requirement is best addressed with an abstract rule. Unfortunately I was not able to find any tutorials or videos on how to create abstract rules. The best I can do is provide you with links to the product documentation:


              Abstract Rules

              Abstract Rule Syntax

              Abstract Rule Examples


              To be frank, if you have not had any training in MRL itself, these links may not help you much. You should have some basic MRL training before you try writing rules.


              Sorry I can't be of more help.





              1 of 1 people found this helpful
              • 4. Re: Correlation Policy
                Alexandru Florea

                Thank you for your resposne and time on my issue.

                Everything is clear now !


                Have a wonderful day,


                • 5. Re: Correlation Policy
                  Stephane Guedon

                  Hi Alexandru


                  Fully agree with Brendan.


                  Here is a abstract rule sample from old docs:

                  abstract AMP:

                    APP_MISSING_PROCESSES ($AMP)

                     from PROCESS_DOWN ($PD)where [$PD.sub_origin within[process1, process2, process3] ]

                     setup { $AMP.date = $PD.date;

                    $AMP.mc_host = $PD.hostname;

                    $AMP.origin = $PD.origin;

                    $AMP.application = ’ABC';

                    $AMP.msg = 'Processes missing for application abc'; }

                     when $PD.status == OPEN {

                  add_to_list($PD.mc_parameter, $AMP.processes); }

                     when $PD.status == CLOSED {

                  rem_from_list($PD.mc_parameter, $AMP.processes);}



                  A long time ago, I've created a ruleset in order to manage 'situations' to generate highest level events explaining situations based on multiple cause event using DDAs (managed with ProactivePack) and use them to create high level incidents. In you case you may also service impact model that includes cluster computation OOTB.






                  Stéphane Guedon

                  • 6. Re: Correlation Policy
                    Alexandru Florea

                    Thank you, much appreciated.