Highlighted
Absent Member.
Absent Member.
687 views

Is it possible to have a rule wait?

Let's say we have two differents received by ESM in the following order:

Event 1

Event 2

We need to fire on event 1 if we do not see event 2 within the next minute or so. Is there are way to accomplish this? Thank you for your thoughts

0 Likes
Reply
16 Replies
Highlighted
Respected Contributor.
Respected Contributor.

When you create 2 events in the rule it will show a

>< Matching Event join at the top of the rule indicating that both conditions must be met

If you right click on the Join it will give you an option to set the time interval for the two events.

0 Likes
Reply
Highlighted
Respected Contributor.
Respected Contributor.

Hello Jianjun,

You want to look at the "On time window expiration" in the action section of the rule. this will be used when you setup an joined which is not for filled in the defined time.

Regards,

Richard

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Dave, thank you for your reply. For joint events, Event 2 should be present as well in order to trigger it. But in my scenario, we want to trigger if event 2 does not arrive.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Richard, thank you for your suggestion. I believe it will solve my problem. Cheers.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Richard,

I just tried the "On time window expiration", it does work. However, it seems that the generated correlation event does not include the base events. Any ideas?

Thanks

Jianjun

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

I had a similar situation.

My approach uses active list.

On the article of event 1, I add.

On the arrival of the event 2 I sanitize the row.

If the timeout of the active list kick the event 1 row, then I have the situation.

My problem was a lit the bit more complex since the time frame larger for using just rules thresholds, and the arrival is event 1 and 2 may permute.

Would that work for you?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Ludovico, thanks for your reply. How do you fire a rule on Active List entry expiration? I thought rules only fires on events. Are you saying Active List entry expiration will generate an event and the rule can capture that triggered event?

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

There is an event generated when the active list entry expires.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

That is correct.

Check for events matching either one or both:

  • Device Event Class ID = activelist:104
  • Device Event Category = /ActiveList/Expire

Relevant fields:

  1. End Time
  2. File Name = <the name of your active list>
  3. File Path = <the path of your active list>
  4. Device Custom Date 1.Creation Time
  5. Device Custom Number1.Count = <the same value as the "count" column on your active list>
  6. Device Custom String 4.Entry Value = <this is the most important field since it has everything that was on your Active List Row. >

You must be aware that you may need to parse the "Custom String 4" in order to get the fields that were on the row.

Each value has the delimiter "|".

My advice is to choose wisely what are the first columns on your Active List so you can ease this parsing.

Let me know if you have further doubts.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Hi Ludovico, thank you for your detailed reply again. My problem is that by using this approach, it will not be triggered on the original event 1. When we are processing events, our analyst need to attach the correlated event to a case. In a normal scenario, a correlated event along with the base events that triggered the correlated event are all attached to the case. However, in this scenario, the correlated event and the triggering event which is actually the Active List entry expire event will be attached to the case, not necessarily the original Event 1, and our analyst will have to go through a few hoops to get to the original event, this is the tricky part.

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Have you tried making event2 a negated alias?  That seems like the more logical solution for your use case.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.