On 9/23/2013 12:35 AM, Damir Markovic wrote:
> For the past few days, I am trying to figure out how to do the
> following thing:
> I have SingleWithThreshold rule that sends message if I receive
> particular error 5 times in 60 minutes. After that, errors are ignored
> for the rest of the time. I would like to reset that if some other
> action happens.
>
> For example, someone runs script to fix the issue and I want the rule
> to be active again, counting 5 errors and notifying about them.
>
> Is this even possible?
>
Yes, see the 'reset' action:
reset [<offset>] [<string>]
Terminate event correlation operation(s) with the
operation description string <string>. Note that the reset action works
only for operations started from the same configura-
tion file. The <offset> parameter is used to refer to a
specific rule in the configuration file. If <offset> is given, the
operation started by the given rule is terminated
(if it exists). If <offset> is an unsigned integer N, it
refers to the N-th rule in the configuration file. If <offset> is 0, it
refers to the current rule. If <offset>
begins with the plus (+) or minus (-) sign, it specifies
an offset from the current rule (e.g., -1 denotes the previous and +1
the next rule). If <offset> is not given, SEC
checks for each rule from the current configuration file
if an operation with <string> has been started by this rule, and the
operation is terminated if it exists. Default
value for <string> is %s. For additional information, see
EVENT CORRELATION OPERATIONS section.
So, if your SingleWithThreshold desc parameter is 'Saw 5 events in the
last 60 minutes' (contrived), then 'action=reset "Saw 5 events in the
last 60 minutes"' should do the trick.
Regards,
Mark
--
Mark D. Nagel, CCIE #3177 <[email protected]>
Principal Consultant, Willing Minds LLC (http://www.willingminds.com)
cell: 949-279-5817, desk: 714-495-4001, fax: 714-646-8277
** For faster support response time, please
** email [email protected] or call 714-495-4000
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Simple-evcorr-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
