Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Network Node Manager i Software10.30

Administer > Configure Incidents > Configure Syslog Message Incidents (ArcSight) > Syslog Message Configuration Form (ArcSight) > Configure rate for a Syslog message incident

Configure rate for a Syslog message incident

Use Rate configuration to track incident patterns based on the number of incident reoccurrences within a specified time period. After the count within the specified time period is reached, NNMi emits a Rate Correlation incident and continues to update the Correlation Notes with the number of occurrences within that rate.

Suppression, Enrichment, and Dampening are not supported for Rate incidents.

As long as your defined criteria (Count and Hours, Minutes, Seconds) is sustained, the following information is updated in the Correlation Notes of the Rate Correlation incident:

the actual number of occurrences of incidents for that sustained rate (Count)
the sustained time interval (Hours, Minutes, Seconds)

For example, you can set a Rate configuration to track when a link is intermittently down at least three times in 30 minutes. NNMi shows the first occurrence of the rate incident in the incident view and uses Correlation Notes to update the number of incidents and time interval to reflect all the incremental incident occurrences and time periods. To continue the example, if the rate of three times in 30 minutes is sustained for 90 minutes, NNMi updates the Correlation Notes to specify that 9 incidents occurred in 90 minutes.

NNMi provides preconfigured Rate correlations. You can add new Rate correlations.

When you open the Incident form of the newest instance:

On the General tab, two fields notify you that the Rate correlation is working:
- Correlation Nature: Rate Stream Correlation
- Count: x
On the Correlated Children tab, each incident is listed in the table.

If a Rate Correlation Incident is dampened, note the following:
- Rate Correlation Incidents inherit the Dampening configuration settings from its Correlated Children.
- NNMi always retains the Parent Rate Correlation Incident, even if its Child Incidents are Closed and subsequently deleted.

To establish a rate correlation within an incident configuration:

Navigate to the Rate tab.
1. From the workspace navigation panel, select the Configuration workspace.
2. Expand the Incidents folder.
3. Select Syslog Message Configurations.
4. Do one of the following:
  - To create a new configuration, click the New icon.
  - To edit an existing configuration, select a row, click the Open icon, and continue.
5. On the form that opens, locate the Rate tab.
Provide the definition for this Rate Configuration (see the "Rate Configuration Definition" table).

Optional. If your Comparison Criteria includes custom incident attributes (CIA) to identify one specific incident, use the Comparison Parameter List table to define each CIA.
Click Save and Close to save your changes and return to the previous form.

Rate Configuration Definition
Attribute	Description
Enabled	Use this attribute to temporarily disable an incident's rate settings:If enabled, NNMi actively tracks any reoccurrences of the designated incident within the time period you specify, and generates a Rate incident. Disable = Temporarily disable the selected configuration. Enable = Enable the selected configuration.
Count	Specify the number of reoccurrences required before your Rate Configuration starts working.
Hours	Used with the Minutes and Seconds attributes to specify the time duration within which the reoccurrences are measured.
Minutes	Used with the Hours and Seconds attributes to specify the time duration within which the reoccurrences are measured.
Seconds	Used with the Hours and Minutes attributes to specify the time duration within which the reoccurrences are measured.
Parent Incident	Click the icon and select Quick Find. Select Rate Correlation from the list.
Comparison Criteria	Specify which group of attributes must match before the incident is identified as a duplicate. The possible groups of attributes consist of the following choices. Name value of the Incident (from the General tab on the Incident form). Source Node value (from the Basics group on the Incident form). Address or name of the node for which the incident was generated. Source Object value (from the Basics group on the Incident form). For example, the Source Object for a LinkDown incident is interface. CIA custom incident attribute values (select from the list displayed on the Custom Attributes tab on the Incident form).
Rate Comparison Parameters	Optional. If you selected a Comparison Criteria that includes CIA, you must populate one or more rows in this table.

Rate Comparison Parameters form

[This is the Context-Sensitive Help topic for the Incident Config >>> Comparison Params form. Used in six contexts.]

Custom Incident Attributes (CIAs) are used as parameter values. Parameter values enable accurate identification of duplicate incidents. There are two categories of CIAs:

SNMP trap varbind values (Name = the MIB varbind identifier, Type = asn_*)
Custom attributes provided by NNMi (Name = cia.*, Type=String).

The group of available CIAs depends on which incident you are configuring for this Rate (for example, CiscoLinkDown). To see which CIAs are available, navigate to an Incident view, double-click an instance of that incident-type to open the Incident form, and navigate to the Custom Attributes tab. The items listed in the table are the CIAs for that particular incident-type. For example, all CiscoLinkDown incidents would have the same group of CIAs shown in the illustration below.

You can also use the CIA (varbind) position number.

To specify a CIA to use in the identification criteria for duplicate incidents:

Navigate to the Rate Comparison Parameters form.
1. From the workspace navigation panel, select the Configuration workspace.
2. Expand the Incidents folder.
3. Select Syslog Message Configurations.
4. Do one of the following:
  - To create a new configuration, click the New icon.
  - To edit an existing configuration, select a row, click the Open icon, and continue.
5. On the form that opens, navigate to the Rate tab.
6. Locate the Rate Comparison Parameters table.
7. Do one of the following to specify which CIA:
  - To add a Custom Incident Attribute parameter specification, click the New icon.
  - To edit an existing Custom Incident Attribute parameter specification, select a row, click the Open icon, and continue.
In the Parameter Value field, type (or copy and paste) the exact text string from the Incident form, Custom Attribute tab, Name attribute value:
- NNMi-provided CIA value.
- SNMP trap varbind identified by the Abstract Syntax Notation value (ASN.1).
Click Save and Close to save your changes and return to the previous configuration form.

Configure rate for a Syslog message incident

Rate Comparison Parameters form

Related topics