Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

Operations Manager i10.62

Administer > Event Processing > Stream-Based Event Correlation > Repetition Rules

Repetition Rules

The repeated generation of the same event may indicate a problem. For example, more than 10 login failures for the same account within 2 minutes is typically viewed as requiring action and should create a security alert.

Configuring a repetition rule requires a filter to select the events to consider, for example, text "login failed" is contained within the title. Certain attributes must be the same to be regarded as originating from the same source, for example, the host name of the system and the user name being used to log in must be the same. The time interval between login attempts must be short, for example, a maximum of two minutes, and there must be a minimum number of attempted failed logins before the scenario is considered to be a problem.

It may be considered advantageous to hold back matching events during the time interval to reduce the number of unnecessary events being sent to the Event Browser. Only when the minimum number of attempted failed logins exceeds the specified threshold, is it necessary to inform the operator that action is necessary. This could be to close or discard the failed login events, except for the reference event that is modified to inform of the series of failed logins. The reference event is an event from the initial rule execution, and it could be the first (least recent) event that is used for the modifications of all subsequent events, or the last (most recent) event.

Note The reference event is used as an attribute source for new events.

Additionally, a new event can be automatically generated. All failed-login events can be related to the new event as symptoms.

Tasks

Create a repetition rule

This task shows you how to create a repetition rule.

In the Stream-Based Event Correlation Rules pane, click the New button and select Repetition Rule to open the Create New Repetition Rule dialog box.
In the General tab, enter a display name, and (optional) a description of the rule being specified.
Select Activate Repetition Rule after creation, if you want to make the rule active immediately.
Click Next to open the Conditions page and select an event filter for the rule from the Event Filter list. The filter determines which events to consider for the repetition rule.

If no appropriate filter is already configured, click the Browse (...) button, which opens the Manage Event Filters side panel. Create a filter or edit an existing one. For information about filters, see Event Filters.
Select Hold back events until events fall out of time window, if you want to keep the events selected by the filter from being displayed in the Event Browser during the time period specified by the rule.
Add attributes that must be included in events and have matching values for the events to be considered as matching:
1. Click the New correlation attribute button and select the type of attribute, for example General and select an attribute from the drop-down list.
2. Repeat for additional attributes.
Select the number of identical events that need to be received, and the time period within which they must occur for the rule to be executed. Additionally, select Treat duplicates as repetitions, if you want the number of identical events to include every duplicate as a single event.
Set the time window within which these events must occur.
Choose whether the actions should be executed the first time (the default) or every time the condition is fulfilled.

If you choose the default option, a new event is created only the first time the condition is fulfilled (during the initial rule execution) and all subsequent events within the specified time window will correlate to the same cause. They are modified accordingly, which does not apply to the already existing events.

Decide how you want all subsequent events to be handled, either within the remaining time window (which is set by the initial rule execution), or for the sliding time window, which means that with each subsequent event the time window is automatically extended. The default value is remaining.
Click Next to open the Actions page and specify the actions to be executed on the selected events when the rule conditions are met.

Select the event which will be used as a reference event (that is, the event that will be used for the further processing). It could be the most recent (last) or the least recent (first) event from the initial rule execution. The default is first.

All events that are identified as recurring events can be handled as follows:
- Close All Events - Close all events matching this rule.
- Release Reference Event, Close All Others - Close all events matching the rule except for the reference event, and release the reference event for further processing.
- Release All Events - Release all events for further processing.
Optional. Select Discard, if possible if it is preferred to completely remove the events selected by the rule. This is only possible if the event is still on hold and has not yet been stored in the database.

Note Whether an event is on hold depends on all SBEC rules that the event matches.
Optional. If you want to modify any attributes of selected events before they are sent to the Event Browser, select Edit attributes from the Modify event attributes of non-closed events section, and specify the changes.
Select Create a new event, if you want a new event to be automatically generated when the rule conditions are met and specify the attributes of the event by selecting Edit attributes and choosing attributes and entering associated values.
If generating a new event, select the Events selected by <filter name> check box if the generated event is to be the cause event for the selected repeated events.
If generating a new event as a cause event, specify a Rule Weight for this correlation.
Select Finish to save the rule.

UI Descriptions

General tab

The General tab is located in the Create New and Edit Repetition Rule wizards.

User interface elements are described below:

UI Element	Description
Display Name	Display name of the repetition rule.
Description	Brief description of the repetition rule.
Active	Select to make the repetition rule active on rule creation.

Condition tab

The Condition tab is located in the Create New and Edit Repetition Rule wizards.

User interface elements are described below (unlabeled elements are shown in angle brackets):

UI Element	Description
	New correlation attribute Opens the Attributes menu from which you can specify attributes that must be included in events and have equal values to be considered as matching events. The available attributes are grouped as follows: General Additional Attributes Custom Attributes
	Delete Item Deletes the selected attribute from the attributes list.
Event Filter	The selected filter determines which events to consider for the repetition rule. If no appropriate filter is already configured, click the Browse (...) button, which opens the Manage Event Filters side panel. Create a filter or edit an existing one. For information about filters, see Event Filters.
Hold back events ...	Select Hold back events until events fall out of time window, if you want to keep the events selected by the filter from being displayed in the event browser during the time period specified by the rule.
Correlation	Attributes that must be included in events and have identical values for the events to be considered as matching: Click the New correlation attribute button and select the type of attribute, for example General and select an attribute from the drop-down list. Repeat for additional attributes.
Repetitions	The number of matching events that need to be received for the rule to be executed.
Treat duplicates ...	Select Treat duplicates as repetitions, if you want the number of matching events to include every duplicate as a single event.
Time Window	The time period within which matching events must occur for the rule to be executed. OMi calculates the time period based on the event's creation time.
Execution	Specify when actions should be executed (either the first time or every time the condition is fulfilled) and how to handle subsequent events (remaining or sliding time window).

Actions Tab

The Actions tab is located in the Create New and Edit Repetition Rule wizards.

User interface elements are described below:

UI Element	Description
	*Modify Events Selected by <filter name>:* Specifies how events selected by the rule should be handled: Select first to keep the first event or select last to keep the last event as a reference. Select from the drop-down list: Close All Events - Close all events matching this rule. Release Reference Event, Close All Others - Close all events except for the reference event and release the reference event for further processing. Select first to keep the first event or select last to keep the last event. Release First Event, Close All Others - Close all events except for the least recent event. Release the least recent event for further processing. Release All Events - Release all events for further processing. Discard, if possible completely removes the events selected by the combination rule. This is only possible if the event is still on hold and has not yet been stored in the database. Note Whether an event is on hold depends on all SBEC rules that the event matches.
	*Modify event attributes of non-closed events Selected by <filter name>:* Select Edit attributes if you want to modify any attributes of selected events before they are released. Edit attributes: Opens the Event Attributes dialog box from which you can specify the attributes and values of events. For details, see Create Event and Modify Event dialog boxes.
	Create a new event: Specifies that a new event is created on matching of the repetition rule. Select Edit attributes to specify the attributes of the automatically-generated event.
The created event is a cause ...	Select the Events selected by <filter name> check box if the generated event is to be the cause event for the selected repeated events.
Rule Weight	Select from a drop-down list a rule weight for this correlation.

Create Event and Modify Event dialog boxes

The Create Event dialog box is accessed from the Actions tab of the Create New and Edit Repetition Rule wizards. It is used to specify the new event to be generated and sent to the Event Browser or specify the changes to be made to an existing event when the Repetition Rule is matched.

User interface elements are described below:

UI Element	Description
General Info	Specifies the basic attributes of the event to be created or changed. Select from the available menus or enter text as appropriate.
Additional Info	Specifies the additional attributes of the event to be created or changed. Select from the available menus or enter text as appropriate. Note The Log Only option sets the lifecycle state of the event to Closed. To view closed events, see Viewing Closed Events.
Custom Attributes	Specifies the Custom Attributes and their values attributes of the event to be created or changed. Click the New Custom Attribute button and select the Custom Attribute to be included in the event. Add the value of the selected Custom Attribute.

UI Element

Description

General Info

Specifies the basic attributes of the event to be created or changed.

Select from the available menus or enter text as appropriate.

Additional Info

Specifies the additional attributes of the event to be created or changed.

Select from the available menus or enter text as appropriate.

Note The Log Only option sets the lifecycle state of the event to Closed. To view closed events, see Viewing Closed Events.

Custom Attributes

Specifies the Custom Attributes and their values attributes of the event to be created or changed.

Click the New Custom Attribute button and select the Custom Attribute to be included in the event.
Add the value of the selected Custom Attribute.

Send Help Center feedback