Select 'OCCURS N times within N seconds' and enter search criteria in one event pattern field to create a search that returns a matching event that occurs a specified number of times within a specified time interval.
Example: Detect CPU usage spikes
matches (Message,'server1') and matches (Summary,'CPU usage high')
This example searches for events that contain the same server name in their message and a summary that contains the text 'CPU usage high'. For Additional Criterion, select 'OCCURS 3 times within 180 seconds'. This search can detect whether CPU usage is spiking every two minutes on a CI.
Example: Detect unacknowledged authentication failures
isAcknowledged='false' and not (Severity='Informational' and Severity='Normal') and matches (Summary,'Authentication failure')
This example searches for unacknowledged events with a severity higher than Normal that contain the text 'Authentication failure' in their summary. For Additional Criterion, select 'OCCURS 4 times within 60 seconds'. When scoped to a connector that tracks enterprise security (such as CA Access Control, or the Windows Event Log through the Event connector), this search can detect repeated attempts to breach system security by an unauthorized user.
|
Copyright © 2013 CA.
All rights reserved.
|
|