Ryan Ferreri Honored Contributor.
Honored Contributor.
249 views

Simple correlation of process monitors

Jump to solution

What is the right way to auto-close a process monitor event when the process becomes available?

If I am monitoring a process and create an event when the process count is 0, but I want to close that event if during a future check the process count is >0, what's the recommended way to do this? I can see a couple ways this could be accomplished - a second rule in the same process monitoring policy that uses the event key field to close the previous event comes to mind... Is this the preferred way to do this or is there something even simpler I can do?

0 Likes
1 Solution

Accepted Solutions
Micro Focus Expert
Micro Focus Expert

Re: Simple correlation of process monitors

Jump to solution

I would suggest that you base your policy on something similar to one of the examples we provide out-of-the-box.  Eg, the Sys_LinuxSendmailProcessMonitor policy that is part of the Infrastructure Management Pack.

It shows a Start action and an End action (in the Defaults tab).  Ie, when num of processes does not match your requirement, then it triggers the Start action.  When the num of processes matches again, it triggers the End action.
In the Start and End actions, you can configure event attributes to cause each event to be able to close the other so your event browser shows only the latest event:

1. In the Event Correlation tab, set "Event Key" and "Close Events with Key".  This works as follows:
when an event comes into OMi that has the close key set, it looks for any non-closed events that have a key to which the close key pattern matches, and closes those events.

2. In the Event Attributes tab, set the ETI (hint).  In the example Sys_LinuxSendmailProcessMonitor policy you see this set in the Custom Attributes tab via the EventTypeIndicator CA name.  I would recommend you use the ETI field instead for readability as a policy admin and as a reminder that the ETI depends on the Related CI of the event (since both are connected together by CI Type).  Note that for this option to work (ie events that close each other based on different values for the same ETI), the ETI MUST be defined as a Health Indicator in OMi.

One final point: in the End Action tab's Event Attributes tab, you can tick the box "Send with closed status".  This will cause the 'good' event to be automatically closed so the operator doesn't have to do that.  It still performs its other function of closing any existing open related event.

CP.

View solution in original post

3 Replies
Highlighted
Respected Contributor.. ashok411 Respected Contributor..
Respected Contributor..

Re: Simple correlation of process monitors

Jump to solution

Hi Ryan,

I am also facing the same issue, i created one process monitor and generating critical event when process count is < 1 and in the same rule i specied end actions to send normal event once the process count is >=1 but the critical is still in the open state..

As you mentioned a way to close the event using second rule for the same process, can you help on how to create a second rule to close the previous critical alert by sending a normal alert.

it would be helpful if you can attach some screenshots..

 

Regards,

Ashok

Micro Focus Expert
Micro Focus Expert

Re: Simple correlation of process monitors

Jump to solution

I would suggest that you base your policy on something similar to one of the examples we provide out-of-the-box.  Eg, the Sys_LinuxSendmailProcessMonitor policy that is part of the Infrastructure Management Pack.

It shows a Start action and an End action (in the Defaults tab).  Ie, when num of processes does not match your requirement, then it triggers the Start action.  When the num of processes matches again, it triggers the End action.
In the Start and End actions, you can configure event attributes to cause each event to be able to close the other so your event browser shows only the latest event:

1. In the Event Correlation tab, set "Event Key" and "Close Events with Key".  This works as follows:
when an event comes into OMi that has the close key set, it looks for any non-closed events that have a key to which the close key pattern matches, and closes those events.

2. In the Event Attributes tab, set the ETI (hint).  In the example Sys_LinuxSendmailProcessMonitor policy you see this set in the Custom Attributes tab via the EventTypeIndicator CA name.  I would recommend you use the ETI field instead for readability as a policy admin and as a reminder that the ETI depends on the Related CI of the event (since both are connected together by CI Type).  Note that for this option to work (ie events that close each other based on different values for the same ETI), the ETI MUST be defined as a Health Indicator in OMi.

One final point: in the End Action tab's Event Attributes tab, you can tick the box "Send with closed status".  This will cause the 'good' event to be automatically closed so the operator doesn't have to do that.  It still performs its other function of closing any existing open related event.

CP.

View solution in original post

Respected Contributor.. ashok411 Respected Contributor..
Respected Contributor..

Re: Simple correlation of process monitors

Jump to solution

Hi Carol,

Thanks for your reply, it worked after doing the modifications as you suggested.

Regards,

Ashok

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.