Event Correlation: Missing Recurrence Rule

Hello Support,

i have created a "Missing Recurrence Rule" which creates a new event if there is no event (matching filter criteria) in 1 minute. in general these events comes every 10 seconds. correlation rule works as expected but the problem i see that every minute previous event (including dup count) will be acknowledged.

Please note that all the event attributes are same.

Could someone explain why the event will be acknowledged? how can this behaviour changed?

-KAKA-

Parents
  • Hello KAKA,

    Can you upload few screens showing the rule configuration, describing what you see and what you expect? Did you select in the condition tab to close the events? Can you show the history tab of the closed event? Maybe it is closed by the pairwise correlation.

    Regards,

    Rosen

  • Hi Rosen,

    attached you will find the screenshots.

    An external source sends opcmsg every 10 seconds and the message appears on stated CI and will be duplicated which is quite normal behaviour.

    With this rule i want a new event to be created only when above defined message did not arrive in last 1 minute.

    during my test i found that message will be acknowledged after the 6 dup count or i can say that in 1 minute where as external source is sending the message every 10 second without any failure.

    i thought about pairwise correlation but if no new event is created by this rule why should pairwise correlation takes place?

    -KAKA-

     

  • Hi KAKA,

    Thanks for the data about the rule itself. Can you please attach similar screens from one of the events that you see unexpectedly closed? All the tabs of the events would be helpful and especially the history tab with expanded entries there.

    Regards,

    Rosen

  • Hi KAKA,

    Thanks for the data about the rule itself. Can you please attach similar screens from one of the events that you see unexpectedly closed? All the tabs of the events would be helpful and especially the history tab with expanded entries there.

    Regards,

    Rosen

  • Hi KAKA,

    Thanks for the data about the rule itself. Can you please attach similar screens from one of the events that you see unexpectedly closed? All the tabs of the events would be helpful and especially the history tab with expanded entries there.

    Regards,

    Rosen

  • Hi Rosen,

    i checked the History tab and found below information.

    i checked the DB for the event 'd4b5<*>' and from the text of this event it looks like the new event, result of correlation rule but new event should not have been generated as the external source is sending the opcmsg every 10 second and i am able to see the dup count increased.

    is it possible that this correlation does not consider duplicate as new event and it creates a new event every 1 minute which ack the message?

    -KAKA-

  • Hi Rosen,

    i checked the History tab and found below information.

    i checked the DB for the event 'd4b5<*>' and from the text of this event it looks like the new event, result of correlation rule but new event should not have been generated as the external source is sending the opcmsg every 10 second and i am able to see the dup count increased.

    is it possible that this correlation does not consider duplicate as new event and it creates a new event every 1 minute which ack the message?

    -KAKA-

  • Hi Rosen,

    i checked the History tab and found below information.

    i checked the DB for the event 'd4b5<*>' and from the text of this event it looks like the new event, result of correlation rule but new event should not have been generated as the external source is sending the opcmsg every 10 second and i am able to see the dup count increased.

    is it possible that this correlation does not consider duplicate as new event and it creates a new event every 1 minute which ack the message?

    -KAKA-

Reply
  • Hi Rosen,

    i checked the History tab and found below information.

    i checked the DB for the event 'd4b5<*>' and from the text of this event it looks like the new event, result of correlation rule but new event should not have been generated as the external source is sending the opcmsg every 10 second and i am able to see the dup count increased.

    is it possible that this correlation does not consider duplicate as new event and it creates a new event every 1 minute which ack the message?

    -KAKA-

Children
  • Hi KAKA,

    As you see the event was closed by the pairwise correlation. What you assume is very likely. What is the Omi version used by the way? In the end when a duplicate comes it is just updating the original event but it is not a new event.  

    Check what is the value you have in Infra for the setting “Change state of events having the same key”? If it true you may try to stop it so that the pairwise correlation will allow the duplication to duplicate the events instead of the correlation closing it. Do you use the option “Detected Related Events by Key Matching Pattern”? Because what I said above is valid only if you use correlation based on key.

    Maybe you can check is this changing the behavior.

    Regards,
    Rosen

  • HI Rosen,

    Thanks for your response. I have already played around with the Infra configuration you mentioned. Pairwise correlation is also fine as new event created by correlation should acknowledge the old events and vice versa. 

    I think here the problem is that correlation does not treat duplication as new event where as it should in this scenario as idea is to check the health of application/program/system by sending such health alarm on regular basis and report in case those health alarm did not arrive in within specified time but at the same time we can not show those 1000 alarm in the console.

    Could you suggest something else?

    -KAKA-

  • HI Rosen,

    Thanks for your response. I have already played around with the Infra configuration you mentioned. Pairwise correlation is also fine as new event created by correlation should acknowledge the old events and vice versa. 

    I think here the problem is that correlation does not treat duplication as new event where as it should in this scenario as idea is to check the health of application/program/system by sending such health alarm on regular basis and report in case those health alarm did not arrive in within specified time but at the same time we can not show those 1000 alarm in the console.

    Could you suggest something else?

    -KAKA-

  • HI Rosen,

    Thanks for your response. I have already played around with the Infra configuration you mentioned. Pairwise correlation is also fine as new event created by correlation should acknowledge the old events and vice versa. 

    I think here the problem is that correlation does not treat duplication as new event where as it should in this scenario as idea is to check the health of application/program/system by sending such health alarm on regular basis and report in case those health alarm did not arrive in within specified time but at the same time we can not show those 1000 alarm in the console.

    Could you suggest something else?

    -KAKA-

  • Hi KAKA,

    Maybe using TBEA to modify the events after some time so it will not be threaded as duplicate may have some logic but this needs to tested and I am not sure it is applicable.  

    Regards,

    Rosen

  • Hi Rosen,

    Generating new events each time opcmsg runs is not a problem for me. i can do it without using TBEA but creating 8640 events per day (every 10 seconds) per such monitor seems dirty to me.

    Is it not possible to Enhance the correlation logic, as logically duplicate on original event tell us that there is regular update coming from the system and this is what we want to check using such correlation rule.

    -KAKA-