Hi,
Wondering if any SEC users may have run into a similar need with successful
results.
Just a little background...
I have HP OpenView NNMi8 running as a network monitoring application and it
seems that HP never fails to disappoint in terms of the product's correlation
abilities. So, once again, I am turning to SEC to provide what the commercial
product lacks.
I would like to process paired events (node down/node up) in the following
manner:
- Beginning with the first occurrence of a "node down" event, create a
context used to collect this and all subsequent node down events within a
predetermined time interval.
- Correlate the "node up" events to eliminate the corresponding down
events within the context (Pair rule?).
- At some point in time, the context expires and reports the contents
to a script which opens a trouble ticket in our ARS system (The idea is to
group similar events occurring in a relatively short time interval into a
single notification instead of reporting each event in its own notification or
trouble ticket).
- For what remains in the context at the time of reporting, continue
correlating "node up" events until all are determined to be up. When all are
determined to be up, a script would execute to close the trouble ticket or send
an "all clear" notification.
The issue I am running into is keeping state maintained as the initial "node
down" context expires to allow the continuation of the "node up" correlation
for any remaining down events. Also, it is possible that upon expiration, the
context will be empty which would require some type of sanity checking at the
point in the rule where expiration occurs.
Has anyone implemented anything similar to this? Maybe using different rule
logic? I would very much appreciate any feedback.
Thank you,
Art Smolecki
State of Minnesota
Office of Enterprise Technology
Network Technical Services
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
