|
Description |
If event matches Condition, for each unique FieldName, identify the highest condition in root cause ConditionList chain during TimeInterval and perform ActionList. If the highest condition is matched do Not alert immediately. |
|
|
|
|
Comments |
If FieldName is missing, invalid, or empty, then the value of empty string ("") is assumed. An empty or missing ConditionList will disable the filter. A root cause condition list chain consists of a sequence of conditions,such as condition1->condition2->condition3, where condition1 is the root cause of condition2 or condition3, and condition2 is the root cause of condition3. The ConditionList shows the most primary root cause condition, in this case condition1, on top. If immediate alerting is turned on, then the highest condition causes the action to be taken immediately, and the TimeInterval is reset for that unique value. If immediate alerting is turned off, then the action will be taken at the end of the TimeInterval if one or more conditions are matched. The following fields will show the root cause chain satisfied by the event stream: ev:rootcause.primary="CONDITION-3" shows the highest condition matched during time interval, in this example condition3. ev:rootcause.chain="CONDITION-3,CONDITION-6,CONDITION-10" shows that conditions 3, 6, and 10 have been matched during the time interval. ev:rootcause.unique contains the value of the unique field name. Once a condition has been met, it is no longer checked for future events. Conditions are checked in the order of highest first. Once an event matches one condition, then no additional conditions are matched. |
<filter objectId="rootCause" type="RootCauseSetFilter"> <parameter autoSetDescription="false" comments="Add comments for Condition..." description="ev:app != app" type="Condition"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:app</fieldName> <operator>neq</operator> <valueType>string</valueType> <value>app</value> </conditionSpec> </parameter> <parameter type="FieldName">ev:host</parameter> <parameter autoSetDescription="true" comments="Add comments for ConditionList..." description="Condition 1: app1Condition 2: app2Condition 3: app3" type="ConditionList"> <condition autoSetDescription="" comments="" description="app1"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:app</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>app1</value> </conditionSpec> </condition> <condition autoSetDescription="" comments="" description="app2"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:app</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>app2</value> </conditionSpec> </condition> <condition autoSetDescription="false" comments="" description="app3"> <negatePrimaryCondition>false</negatePrimaryCondition> <conditionRelation>All</conditionRelation> <conditionSpec> <negate>false</negate> <fieldName>ev:app</fieldName> <operator>eq</operator> <valueType>string</valueType> <value>app3</value> </conditionSpec> </condition> </parameter> <parameter type="TimeInterval"> <time>5</time> <units>sec</units> </parameter> <parameter autoSetDescription="true" comments="Add comments for ActionList..." description="Action 1: " type="ActionList"> <action autoSetDescription="false" comments="" description="" type="NewEvent"> <halPolicy>useCurrent</halPolicy> <destinationSpec> <type>insertIntoStream</type> </destinationSpec> <setEventFieldList> <setEventField autoSetDescription="true" comments="" description="RootCause message" fieldName="ev:msg"> <type>String</type> <formatString>RootCause message</formatString> </setEventField> </setEventFieldList> </action> </parameter> <parameter type="Not"/> </filter>