We are setting up an alert on a windows system event but need to know how to clear it. The alert will be keyed off an event ID of 5 while the clear will be off of 4. both will have a same source id.
We're running 8.2
You'll need to set up two profiles, one for each event. Make sure that the "event" tab in each profile match the corresponding events. In the "alarm" tab, tick the box to use a custom suppression key, and then enter the same suppression key for both profiles. Try to make the suppression key unique enough that it doesn't match any other profiles' suppression key on the same box. For event ID 5 change the severity as you like, but for event id 4 make it "clear". This should be enough for automatic clearing of alarms. The profiles need to be on the same machine, you can't do it this way from different machines firing the events.
I tried your solution and it still didn't clear the existing alerts. When I look at the alert history I see that all but the original have been suppressed.
What have I done wrong?
Are you sure the alarms you see in the alarm console have the suppression key you configured, i.e. that those alarm were generated after you reconfigured the probe?
Chances are that these alarms were raised before you had set the custom suppression key hence were not cleared with the other alerts.
Yes they were configured after the suppresion key.
I agree, I'd check the suppression key too. Incidentally the key you set is used in UIM for NULL in some cases if I remember correctly.. could be something slightly different. I guess that might cause trouble too.
sometimes you need to step away...
I found an error in the original event code as to why it wasn't clearing.
I know, old lost right... Can you share what that error was? Just curious in case I run into the same issue I'll at least be conscious of it.
After 2 years? I'm so old that I probably couldn't remember it the next day!
Retrieving data ...