I think this request from a prospect is similar to whats in the following post but with a twist:
The twist being that the prospect wants to supress alarms until they have reached 5 in one hour. The trigger for the timer to start ticking would be the first alert, but if there are no further alarms after an hour, that first alarm expires.
So - I'm thinking of using several pre-processing rules, then some AO intervals, but I'm still not sure it will get this where it needs to be, and even it does, I'm wondering if there is a smoother way to do it (i.e. script). Below is a description of what needs to be accomplished from the prospect - any help would be appriciated.
We need to able to suppress events until they have repetitively occurred after numerous times in a given time period (5 times in 1 hr or 20 time in 1 day, etc). In this test, the syslogd process will be stopped which should cause Nimsoft to alert however the alert will be immediately restarted which will clear the stopped alert. The process will be stopped and restarted again during a given time period. If this stopped/start problem repeats 5 times in a 1 hour time period, then another alert that would state something along the lines of “syslogd process flapping” would appear.
Important note about this is that a cleared alert would expire after 60 minutes and no longer considered relative to the 5 in 1 hour trending. In other words if the current trend count is 4 and the first alert occurred at 03:59 and the current time has past 04:59, then the current trend count should be reduced to 3 since the first alert that occurred at 03:59. If however another alert occurs before 04:59, then the flapping alert would display.
Also, would like to suppress the process down alert until 60 seconds has expired if it has not cleared. If it clears in 60 seconds then the down alert would not display.