Release Notes › Known Issues › Event Correlation › Time Fields Treated Differently in Correlation Rule Test

Time Fields Treated Differently in Correlation Rule Test

Symptom:

Under certain narrow circumstances, testing of correlation rules returns different results than live correlation. This occurs under the following conditions:

• The rule filters include a derived time field such as event_time_hour
• The event originates outside the CA Enterprise Log Manager event log store time zone
• The event includes an event_timezone field identifying the time zone of origin

In this case the rule test service derives the event time fields using the Event Log Store time zone, rather than the originating time zone of the event. This may result in the tested rule incorrectly identifying whether the event matches the rule qualifications.

Solution:

This behavior only occurs when testing a rule. In live correlation, the service properly uses the originating time zone of the event when deriving time fields.