I am monitoring a log where each line can indicate a status. For brevity, I'll call them "OK", "A", "B" or "C".
A, B and C are error statuses; OK indicates that no errors are present anymore.
I created a log monitoring item and the corresponding trigger that tags the events with their status label.
I need to create global correlation rules that avoid creating a new error event if the same error type is already active.
I ended up creating three separate rules that close the new event, as follows:
Rule 1:
A1 Value of old event tag Status equals A
AND
B1 Value of new event tag Status equals A
Rule 2:
A2 Value of old event tag Status equals B
AND
B2 Value of new event tag Status equals B
Rule 3:
A3 Value of old event tag Status equals C
AND
B3 Value of new event tag Status equals C
But I am under the impression that there must be a more elegant way to obtain the same result, possibly using only one rule.
Something like
(A1 and B1) or (A2 and B2) or (A3 and B3)
would work, but apparently there is no way to create a rule like that.
Any hints?
A, B and C are error statuses; OK indicates that no errors are present anymore.
I created a log monitoring item and the corresponding trigger that tags the events with their status label.
I need to create global correlation rules that avoid creating a new error event if the same error type is already active.
I ended up creating three separate rules that close the new event, as follows:
Rule 1:
A1 Value of old event tag Status equals A
AND
B1 Value of new event tag Status equals A
Rule 2:
A2 Value of old event tag Status equals B
AND
B2 Value of new event tag Status equals B
Rule 3:
A3 Value of old event tag Status equals C
AND
B3 Value of new event tag Status equals C
But I am under the impression that there must be a more elegant way to obtain the same result, possibly using only one rule.
Something like
(A1 and B1) or (A2 and B2) or (A3 and B3)
would work, but apparently there is no way to create a rule like that.
Any hints?