Administration Guide › Suppression and Summarization › Suppression and Summarization Rules Tasks › How to Create a Summarization Rule

How to Create a Summarization Rule

You can use summarization rules to combine certain native events of a common type into one refined event. This lets you save space in your event log store and simplifies event analysis.

For example, you might create a summarization rule that records a single refined event for every three failed login attempts by a single user. This means that your event log store records only one event rather than three.

The process of creating or editing a summarization rule using the summarization rule wizard has the following main steps:

1. Opening the summarization rule wizard.
2. Summarization Thresholds - Setting the number or frequency of native events that you want to make up a summarized event.
3. Event Selection - Identifying an event to summarize, using the CEG normalization attributes and optional advanced filtering.
4. Summarization - Controlling how the final summarized event will be presented in your reports.

Note: Once you have created a summarization rule, you must apply it to make it available for use in your environment.

More information:

Open Summarization Wizard

Set Summarization Thresholds

Configure a Summarization Display

Using Advanced Filters

Apply a Suppression or Summarization Rule