Has anybody done something like this with in SAM 9.x
Manual correlation based on per site events. We want to correlate many alerts under
one single alert based on site.
a. For example, a power outage occured in a site that effected 10 switches, we want
to be able to correlate these 10 switches down alert under just one alert called
multiple switches down under site X
b. For example, site X primary link to Internet has been pegged or heavily utilized,
this in turn will create an interface high utilization alert and various IPSLA and QoS
alerts. We want to be able to correlate the IPSLA and QoS alerts under just the
high utilization alert rather then have separate 20 alerts.
KottolliArun - Responds:
One way to do this will be do use dynamic modelling.
In case-1: If the power is supplied by an intelligent UPS, which supports SNMP traps, then using user defined connections in dynamic model, one can create user defined event correlations.
Similarly, other models can be created using dynamic modelling in Smarts
This can also be done using Aggregates.
You can use a Hookscript to create a brand new Notifcation -makeNotification() - which is an Aggregate and base it on the Site.
You can then Name that new Notifcation for the Site that you are adding to
Then you can use a Notifcation List to only show the Site Events (based on your filter).
You can always look at the Details of the Aggregate Notification to show the Events that make up that Aggregate (if you care to).
When the Last Event of a particular Aggregate clears, the Aggregate Notifciation itself will clear.
A sample of Aggregate creation can be found in the syslog_mgr.asl script. I don't see much in the form of documentation on this feature.