Versions Compared

Old Version 13

changes.mady.by.user Alexander Zangerl

Saved on

compared with

New Version 14

changes.mady.by.user Alexander Zangerl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: cleaned up references to 2.2.0a pre-release

...

  • an event name, which specifies the name of the newly created event,
  • a list of events (more precisely, their names), which are the events to consider for correlation,
  • a (minimum) count of events that have to be detected to trigger the rule,
  • an optional list of groupby clauses, which define whether the count is interpreted globally for all named events, or separately within smaller groups,
  • optional delayedaction and autoacknowledge clauses, which define how the triggering events should be handled,
  • an optional enrich clause, which adjusts the content of the newly created event,
  • from version 2.2 .0a onwards, optional copy_firstcopy_lastcopy_highest and copy_groupby clauses which further control the contents of the newly created event,
  • from version 2.2 onwards, an optional inhibit parameter, which disables correlation temporarily after a rule has fired,
  • and finally a window parameter, which defines the time window to examine.

...

In version 2.2 this limitation has been removed, and much more precise control of the event content is possible.

Content Control Directives (Version 2.2

...

and newer)

When a synthesis rule creates a new event, the following steps are performed:

...

Code Block
'1' => {
   name => "Very Sick Node",
   events => [ "Node Down", "SNMP Down", "Interface Down", "Service Down",
               "Service Degraded", "Interface Flap", "Node Flap", "WMI Down" ],
   window => 120,
   count => 3,
   groupby => [ 'node.name' ], # we want separate events for each node of course
   enrich => { stateful => "Very Sick Node", priority => 5, state => 'down', element => undef }, # new event is stateful only if stateful is set or copied by name
   copy_last => [ qr//, 'node' ], # can set from node here (all events share it)
   copy_groupby => [ 'node' ], # or from here; must set it explicitely somewhere, or the event goes to opevents_correlation_node
},

Stateful Synthetic Events (Version 2.2

...

and newer)

By default, synthetic events are not stateful events, i.e. they are not subject to deduplication and they cannot be acknowledged (or 'closed') by any future 'opposite' event.

...