Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Network Node Manager i Software10.30

Administer > Configure Incidents > Configure Syslog Message Incidents (ArcSight) > Syslog Message Configuration Form (ArcSight) > Configure deduplication for a Syslog message incident

Configure deduplication for a Syslog message incident

The deduplication configuration determines what values NNMi should match to detect when an SNMP Trap Incident, Syslog Message Incident (ArcSight only), or Management Event is a duplicate.

Note the following:

Suppression, Enrichment, and Dampening are not supported for Deduplication incidents.
NNMi applies only one deduplication configuration per incident . If NNMi generates an incident using a specified deduplication configuration, NNMi continues to correlate duplicate incidents using the original configuration. To use a different deduplication configuration for an incident, first delete the current deduplication incident (created using the original deduplication configuration). NNMi generates the next deduplication incident according to the new deduplication configuration settings.
NNMi continues to update the duplicate count regardless of an incident's lifecycle state. For example, if an incident's Lifecycle State is set to Closed, the duplicate count continues to be incremented.
Each time you stop and restart ovjboss, any incidents that have not yet been correlated or persisted are lost. This means that after a restart of ovjboss, an incoming incident might not be correlated as expected. For example, after a restart of ovjboss, a duplicate incident might not be correlated under its original parent incident. Instead, a new parent incident might be generated.
If a Duplicate Correlation Incident is dampened, note the following:
- Duplicate Correlation Incidents inherit the Dampening settings from its Correlated Children.
- NNMi always retains the Parent Duplicate Correlation incident, even if its Child Incidents are Closed and subsequently deleted.

To specify or delete a deduplication configuration:

Navigate to the Syslog Message Configuration form:
1. From the workspace navigation panel, select the Configuration workspace.
2. Expand the Incidents folder.
3. Select Syslog Message Configurations.
4. Do one of the following:
  1. To create a deduplication configuration, click the New icon, and continue.
  2. To edit a deduplication configuration, select a row, click the Open icon, and continue.
  3. To delete a deduplication configuration, select a row, and click the Delete icon.
Select the Deduplication tab.
Provide the required information (see "Deduplication Attributes" table).
Click Save and Close to save your changes and return to the previous form.

Deduplication Comparison Parameters form

[This is the Context-Sensitive Help topic for the Incident Config >>> Dedup Comparison Params form. Used in three contexts.]

Comparison Parameter values enable accurate identification of duplicate incidents. Custom Incident Attributes (CIAs) are used as Comparison Parameter values. There are two categories of CIAs:

SNMP trap varbind values (Name = the MIB varbind identifier, Type = asn_*)
Custom attributes provided by NNMi (Name = cia.*, Type=String).

The group of available CIAs depends on which incident you are configuring for this Deduplication (for example, CiscoLinkDown). To see which CIAs are available, navigate to an Incident view, double-click an instance of that incident-type to open the Incident form, and navigate to the Custom Attributes tab. The items listed in the table are the CIAs for that particular incident-type. For example, all CiscoLinkDown incidents would have the same group of CIAs shown in the illustration below.

You can also use the CIA (varbind) position number.

To specify a CIA to use in the identification criteria for duplicate incidents:

Navigate to the Deduplication Comparison Params form.
1. From the workspace navigation panel, select the Configuration workspace.
2. Expand the Incidents folder.
3. Select Syslog MessageConfigurations.
4. Do one of the following:
  - To create a new configuration, click the New icon.
  - To edit an existing configuration, select a row, click the Open icon, and continue.
5. On the form that opens, navigate to the Deduplication tab.
6. Locate theDeduplication Comparison Parameters table.
7. Do one of the following to specify which CIA:
  - To add a Custom Incident Attribute parameter specification, click the New icon.
  - To edit an existing Custom Incident Attribute parameter specification, select a row, click the Open icon, and continue.
In the Parameter Value field, type (or copy and paste) the exact text string from the Incident form, Custom Attribute tab, Name attribute value:
- NNMi-provided CIA value).
- SNMP trap varbind identified by the Abstract Syntax Notation value (ASN.1).
Click Save and Close to save your changes and return to the previous configuration form.

Deduplication Attributes
Name	Description
Enabled	Use this attribute to temporarily disable an incident's deduplication configuration: Disable = Temporarily disable the selected configuration. Enable = Enable the selected configuration. After a deduplication configuration is enabled, NNMi increments the Duplicate Count for an associated incident regardless of the Lifecycle State value. For example, if an incident's Lifecycle State is set to Closed, the duplicate count continues to be incremented.
Count	Specifies the number of duplicate incidents for the current configuration that NNMi stores at one time. For example, if the Count is 10, after NNMi receives 10 duplicate incidents, NNMi deletes the first (oldest) duplicate incident and keeps the eleventh. (NNMi stores ten maximum.)
Hours	Used with the Minute and Second Intervals to specify the time that must elapse before a new duplicate incident is generated for this incident configuration. For example, if the Hour Interval value is 1, and no Minute or Second Intervals are specified, and the duplicate incident is not generated within one hour, NNMi generates a new duplicate incident the next time it occurs.
Minutes	Used with the Hour and Second interval to specify the time that must elapse before a new duplicate incident is generated for this incident configuration. For example, if the Minute Interval is 30 and no Hour or Second Intervals are specified, and the duplicate incident is not generated within 30 minutes, NNMi generates a new duplicate incident the next time it occurs.
Seconds	Used with the Hour and Minute Intervals to specify the time that must elapse before a new duplicate incident is generated for this incident configuration. For example, if the Second Interval is 120 and no Hour or Minute Intervals are specified, and the duplicate incident is not generated within 120 seconds, NNMi generates a new duplicate incident the next time it occurs.
Parent Incident	Used to specify the Incident Configuration that will be the Parent Incident for the incident you are configuring. For example, you might have created a Management Event Incident Configuration that could be used as the Parent Incident for SNMP Trap Incidents. When specifying the Parent Incident, you have the following options: When you want to use a configuration that NNMi provides, use the default Duplicate Correlation incident configuration . If you select this option, the incident message for the Parent Incident begins as follows: `Duplicate Correlation for <incident_configuration_name>` For example if you are configuring a Node Down incident and select Duplicate Correlation as the Parent Incident, the Parent Incident message begins with: Duplicate Correlation for Node Down. Each Node Down incident that is a duplicate then appears correlated under the Duplicate Correlation for Node Down incident. NNMi also enables you to customize the Parent Incident for a given deduplication scenario. If you have created a Management Event Incident Configuration to use for this deduplication scenario, select the Management Event Incident Configuration that you have created.
Comparison Criteria	Specify the attribute values that must match before the incident is identified as a duplicate. The possible attributes consist of the following choices. Name - The Name attribute value from the Incident form: General tab. CIA - Represents any of the following items configured as a Parameter Value using the Deduplication Comparison Parameters Form: The Value attribute from the Incident form: Custom Attributes tab An SNMP varbind Object ID An SNMP varbind position number SourceNode - The Source Node attribute value from the Basics attributes listed on the Incident form. The Source Node value is the IP Address or Name of the node for which the incident was generated. The Source Node must be stored in the NNMi database. Source Object - The Source Object attribute value from the Basics attributes listed on the Incident form. The Source Object must be stored in the NNMi database. Each attribute value in the option you select must match before the incident is identified as a duplicate. For example, if you select Name, only the Incident Name value must match. If you select Name SourceNode SourceObject CIA, the Incident Name, Source Node, Source Object, and all Custom Incident Attribute values that you configure as a Parameter Value must match before NNMi identifies the incident as a duplicate. Selecting an option that includes CIA enables you to further refine the deduplication criteria. For example, you might want to configure deduplication for incidents with CIA values that specify the same State attribute value for a particular network object.
Deduplication Comparison Parameters	Optional. If you selected a Comparison Criteria that includes CIA, you must populate one or more rows in this table.

For a description of each Comparison Criteria option, see this table.

Comparison Criteria	Description
Name	Value of the Name attribute from the Incident form: General tab must match.
Name CIA	Each of the following values must match: Name attribute from the Incident form: General tab CIA - Represents the Value associated with any of the following items configured as a Parameter Value using the Deduplication Comparison Parameters Form : Name of a Custom Incident Attribute (CIA) provided by NNMi. An SNMP varbind Object ID An SNMP varbind position number
Name SourceNode	Select this option only if the Source Node is stored in the NNMi database. Each of the following values must match: Name attribute from the Incident form: General tab The Source Node attribute value from the Basics attributes listed on the Incident form
Name SourceNode CIA	Select this option only if the Source Node is stored in the NNMi database. Each of the following values must match: Name attribute from the Incident form: General tab The Source Node attribute value from the Basics attributes listed on the Incident form CIA - Represents the Value associated with any of the following items configured as a Parameter Value using the Deduplication Comparison Parameters Form : The Value attribute from the Incident form: Custom Attributes tab An SNMP varbind Object ID An SNMP varbind position number
Name SourceObject	Select this option only if the Source Object is stored in the NNMi database. Each of the following values must match: Name attribute from the Incident form: General tab The Source Object attribute value from the Basics attributes listed on the Incident form.
Name SourceObject CIA	Select this option only if the Source Object is stored in the NNMi database. Each of the following values must match: Name attribute from the Incident form: General tab The Source Object attribute value from the Basics attributes listed on the Incident form CIA - Represents the Value associated with any of the following items configured as a Parameter Value using the Deduplication Comparison Parameters Form : The Name attribute from the Incident form: Custom Attributes tab An SNMP varbind Object ID An SNMP varbind position number
Name SourceNode SourceObject	Select this option only if the Source Node and Source Object are stored in the NNMi database. Each of the following values must match: Name attribute from the Incident form: General tab The Source Node attribute value from the Basics attributes listed on the Incident form The Source Object attribute value from the Basics attributes listed on the Incident form
Name SourceNode SourceObject CIA	Select this option only if the Source Node and Source Object are stored in the NNMi database. Each of the following values must match: Name attribute from the Incident form: General tab The Source Node attribute value from the Basics attributes listed on the Incident form The Source Object attribute value from the Basics attributes listed on the Incident form CIA - Represents the Value associated with any of the following items configured as a Parameter Value using the Deduplication Comparison Parameters Form : The Name attribute from the Incident form: Custom Attributes tab An SNMP varbind Object ID An SNMP varbind position number

Configure deduplication for a Syslog message incident

Deduplication Comparison Parameters form

Related topics