DX Unified Infrastructure Management

  • Private Community

  • 1.  alert on consecutive events

    Posted Jan 31, 2012 08:25 AM

    Hi there,

     

    I've been trying to work out a way of doing this, but how does one configure a NAS profile send an Email or SMS on three consecutive events?

     

    I've currently got a logmon profile with a watcher defined to match the expression /java.sql.(\w+)/. A variable (string) has been defined and a threshold has been set (<> SQLException). In addition, I have selected "Send clear alarm" and defined a unique suppression ID ($PROFILE.$WATCHER).

     

    Also, in the AO profile, I have market clear and critical/major/minor so that any clearance it tied to the corresponding alert. I have also defined the number of events to be 3 (and only 3, as I want one Email or SMS to be triggered, not one per new event).

     

    When a SQLException occurs, the logmon probe generates an event, but there are no clearances when the expression is not matched. Also, if there are multiple occurrences of SQLException then the count is increased by the number of occurrences rather than by 1. Even if there are 3 instances of SQLException, I only want it to report 1. It doesn't appear that "Abort on match" will solve this little problem.

     

    Anyway, does anyone have an idea how to address this issue?

     

    Regards,

    Andrew S



  • 2.  Re: alert on consecutive events

    Posted Jan 31, 2012 06:43 PM

    You should be able to have the message (email or SMS) go out when the count reaches three. I think the "on arrival" mode for the AO profile would be the most appropriate. Other than that, the way you described your AO profile sounds about right.

     

    The "Abort on match" option in the logmon watcher tells the probe to stop checking the current line against any other watchers. It does not prevent other lines from being checked. I do not think there is a way to tell the logmon probe to batch a bunch of similar (but nonconsecutive) lines from a single run. It is designed to line by line or group consecutive lines.

     

    I think you could achieve the desired result with some scripting in the NAS. If you have a script run when those alarms arrive, you could generate a new alarm and rate limit it by remembering the last time the new alarm was updated. Then three occurrences of the original alarm in quick succession would just trigger a single update to the new alarm. Doing this in the probe would be much simpler, but I cannot think of a way to do it there.