New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Absent Member.
Absent Member.
874 views

Matching/Join Rule outcome?

Jump to solution

Looking for help in matching (or join) rule execution.

UseCase:

Match a rule condition against a set of base events if exists in past 2 minutes, upon successful match fire an event with all the correlated events attached in a correlation event.

Example:

Matching Event

      AND

           Event1.Target Address=Event2.Target Address

           Event1.Device Custom String2=Event2.Device Custom String2


Event1

      AND

           MatchesFilter<>


Event2 (Matching within 2m)

      AND

           MatchesFilter<>

Rule is working but the problem is it fires for each match, i.e. if I have a base event (A) matching 2 different base events (B/C) then what I get is 3 correlation event i.e.

  1. One for its own match
    1. A
  2. One for its own match and other base event
    1. AB
  3. One for its own match and the other base event
    1. AC

What I want is it should fire one correlation event for all 3 base events like a correlation event having ABC events under it. I have tried aggregation with some combinations but that didn't help.

0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Hi Balahasan,

I was able to achieve what I was looking for by playing with Aggregation and time withing options under global/alias's within rule condition.

The only acceptable drawback is the rule is fired after a minute from MRT. I have used "One time Window Expiration - Cumulative Rule Chain Is On" to achieve it.

Thanks for spending time in understanding and inquiring  further on the problem.

Thanks

Prashant

View solution in original post

0 Likes
2 Replies
Highlighted
Fleet Admiral
Fleet Admiral

Hi Prashant,

What condition you are using in the rule and what is specified in the Rule Actions and aggregation.

0 Likes
Highlighted
Absent Member.
Absent Member.

Hi Balahasan,

I was able to achieve what I was looking for by playing with Aggregation and time withing options under global/alias's within rule condition.

The only acceptable drawback is the rule is fired after a minute from MRT. I have used "One time Window Expiration - Cumulative Rule Chain Is On" to achieve it.

Thanks for spending time in understanding and inquiring  further on the problem.

Thanks

Prashant

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.