Skip to content

Supervised Correlations

Supervised Correlations is a standard configuration interface for adding, editing and removing correlation policies that are used by the Supervised Event Correlator application, where multiple symptom events can be correlated with a root cause event. A root cause event can be one that already exists in the real-time event list or it can be a Meta Event that gets created when the symptoms are detected.

Refer to the Standard Configuration Interface guide for details on interacting with the grid and form.

This user interface calls REST methods from api/event/supervisedCorrelations.

The UI path for this interface is Configuration -> Events -> Supervised Correlations.

Form Fields

  • Name - The name of the correlation policy.

  • Match Fields - This combobox allows a user to pick one or more fields from the real time event database. These fields will be available in the Root Cause and Symptoms sections for further use.

  • Root Cause

    Note

    Either the list of fields used to look for a root cause event must be filled in OR a meta event must be selected.

    • (List of Fields) - A text field will be added for each database field that is picked in the Match Fields above. For the root cause event only one value can be entered for each field. If filled in, the Supervised Event Correlator application will check each of the Match Fields for the entered value when looking for the root cause event.

      Note

      As an example, say "Node" and "Location" were selected in Match Fields. Location is then set to look for "Houston". Node is set to look for "router1.example.com". The Supervised Event Correlator application would be looking for events where Location = "Houston" AND Node = "router1.example.com".

    • Meta Event - If a new root cause event should be created when the symptoms exist, this field picks the meta event that is used.

  • Symptoms

    • (List of Fields) - A text field will be added for each database field that is picked in the Match Fields above. Multiple distinct values can be entered for each field, with each value needing to be on a separate line. The entered value can be a regex. In case a regex should be applied the Python REGEX notation needs to be used and the search term needs to be enclosed by backslashes to instruct the application to apply REGEX. If filled in, the Supervised Event Correlator application will check for each of the Match Fields if their values are in the list of entered values for each field or in case of regex if they match one of the regexes for that field when looking for the symptom events.

      Note

      As an example, say "Node" and "Location" were selected in Match Fields. Location is then set to look for "Chicago" and "Dallas" (on separate lines). Node is set to look for "server1.example.com" and "server2.example.com" (on separate lines). The Supervised Event Correlator application would be looking for events where Location IN ("Chicago", "Dallas") AND Node IN ("server1.example.com", "server2.example.com").

  • Cluster Conditions

    • Group By - Set to group the events by this field. Any Event field can be used. If used, events will be split into separate clusters by this field, even if not one of the fields that are selected in Match Fields.

    • Minimum Members - The number of events that must exist for a correlation policy to create a cluster. This number does not include the synthetic Meta Event.

    • Time Window (Secs) - The length of time in which the minimum members must occur.

  • Status - The status of the correlation policy.