Highlighted
Respected Contributor.
Respected Contributor.
276 views

Rule or Data Monitor

We want to monitor events that are coming from a specific asset on our network.  If the event count for that asset increases an abnormal amount, we want to be alerted.  What is the most efficient way to develop this...  Data Monitor or Rule?  Thank You!

0 Likes
Reply
2 Replies
Highlighted
Absent Member.
Absent Member.

I would say a data monitor is the most effective means. It is a primary function of a DM, and should be easiest to configure and tune.

Damian

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

You would actually use both.

First you would set up a Moving Average Data Monitor to watch the event flow from the particular asset. You would tell it how often to sample and it will maintain a moving average of how many events are in the flow. You also configure it with a threshold percent. If the new sample is + or - the threshold percent above or below the moving average then the data monitor will fire correlated event. You can then use a rule or two to fire any time the event rate moves too far above or below the average event rate for that asset.

You can also use this logic to monitor numerous different assets at once as the datamonitor will watch them all at the same time and you do not need to set up 10 data monitors to watch 10 assets, just the one.

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.