These examples show advanced techniques for performing complex correlation that are based on property fragments and for detecting the absence of an expected event.
Example: Detect an event on a specific system by correlating based on property fragments
Pattern 1:
fn:Parse(Message,'device=(.*?).ca.com')='server1' and fn:Parse(Summary,'Database Instance:(.*?) stopped')='PAYROLL'
This search pattern isolates key values embedded in the event Message and Summary properties:
When these values match server1 and PAYROLL, the event matches. This example shows how you can parse information out of a property and can use that information in search patterns.
Example: Correlate events on the same system that are based on property fragments
Pattern 1:
fn:Parse(Message,'device=(.*)')=? and Summary='low memory'
Pattern 2:
fn:Parse(Message,'device=(.*)')=? and Summary='device unresponsive'
This example uses the question mark correlation character and the fn:Parse function to correlate events that have the same server name in the Message property when the property format matches 'device=servername'. Events with a Summary of 'low memory' and 'device unresponsive' occurring within a short time interval could indicate low memory as a root cause of device failure.
Note: For a full example using this search pattern, see Create Event Action Examples.
|
Copyright © 2013 CA.
All rights reserved.
|
|