Administer > Event Processing > Event Storm Suppression

Event Storm Suppression

If a problem is experienced on a managed system that results in the generation of an abnormally high number of events within a relatively short period of time, this phenomenon is known as an event storm. It is very probable that the root cause is already known and is being addressed. However, related events are also being generated. These events do not provide any useful information but may result in significantly increased loads on the servers running OMi. To avoid this situation, OMi can be configured to look for event storms from managed systems and discard all subsequent events until the event storm condition for a particular system is over.

An event storm is detected when the number of events received within the detection time period, as a result of a problem on a system, exceeds the configured threshold required to enter an event storm condition.

In a distributed deployment, each gateway server tracks its own event storm status individually. Because event storms are bound to the gateway server on which the events are received, the load on the overall system can be kept to a minimum.

When an event storm is detected on a system, events from this system are discarded until the rate of incoming events drops below the event storm end threshold. You can configure exception rules to select events from a system under event storm conditions that match a filter and either display these events in the Event Browser or close them (available in the Event Browser under Closed Event). The event storm end event automatically closes the associated event storm begin event.

Note Events that are released back into the event pipeline as a result of matching an exception rule may undergo subsequent processing which can result in these events not being displayed in the Event Browser or appearing in the Closed Events Browser.