What is meant by Correlation Rules in Event management?

sweetymiriyala · ‎08-06-2018

Can anyone pls explain the use of correlation rules in event management with real time example.

Thanks in Advance,

sweety

Michael Skov2 · ‎08-07-2018

The rule in my example is configured like this:

The primary is basically the root cause, and the primary are the effected alerts. Another example: "Printer offline" is the primary, and "Print job failed" is secondary. The print job failed events are generated because of the printer offline (root cause).

Hope that answers your question.

View solution in original post

Michael Skov2 · ‎08-06-2018

Alert Correlation is a way to group alerts together based on criteria, with primary and secondary alerts. The purpose is to provide a better overview of the alerts.

An example: A VMware host goes offline, which generates hundres of messages about the VMs on the host:

Now i create an alert correlation based on Source (=VMware), Type (=Connection) and Resource (=Power). The next time this happens, they will be grouped into Primary and Secondary:

If you then enable Correlated Alerts in the upper right corner, they will collapse as a group:

I hope this answers your question with a real time example.

sweetymiriyala · ‎08-07-2018

Thank you Michael but I have on doubt like how these alerts are categorized into primary and secondary alerts. What are these primary and secondary alerts?

Michael Skov2 · ‎08-07-2018

The rule in my example is configured like this:

The primary is basically the root cause, and the primary are the effected alerts. Another example: "Printer offline" is the primary, and "Print job failed" is secondary. The print job failed events are generated because of the printer offline (root cause).

Hope that answers your question.