Combination Rules

When a combination of events occur, sometimes in a precise order, within a short period of time, this may be understood as a problem requiring corrective action or even as a scenario that may initially appear to be a problem but which does not require any intervention by an operator. For example, a node-down event followed by a node-up event within two minutes usually means that a system reboot has occurred. This is typically viewed as not significant, as long as reboots do not occur too frequently, and does not require action other than the automatic cleaning up of these events.

Configuring a combination rule requires at least two filters to select the events to consider, for example, to select events with a node-down indicator and to select events with a node-up indicator. Certain attributes must be the same to be regarded as originating from the same source, for example, the node CI and source CI must be the same. The time interval between the related events must be short, for example, a maximum of five minutes, before the scenario is considered to be a problem. You can also specify if the events must occur in a particular order for the rule to be matched and executed.

It may be considered advantageous to hold back matching events during the time interval to reduce the number of unnecessary events being sent to the Event Browser. Only when the required combination of events are received within the specified time period is it necessary to inform the operator that action is necessary.

This could be to close or discard all events, except for the reference event that is modified to inform that a reboot took place. The reference event is an event from the initial rule execution, and it could be the first (least recent) event that is used for the modifications of all subsequent events, or the last (most recent) event.

Note The reference event is used as an attribute source for new events.

Additionally, a new event can be automatically generated. All matching events can be related to the new event as symptoms.

Tasks

UI Descriptions