Scenario Using a correlation policy and the OMNIbus ObjectServer event reader service to solve flood events

How to use the Netcool/Impact policy EventCorrelationUsingXinYExample.ipl and the OMNIbus ObjectServer event reader service to perform event correlation to solve events flood.

In Netcool/Impact, you create an OMNIbus event reader service that is based on a specific filter that executes the EventCorrelationUsingXinYExample.ipl policy. The policy queries the OMNIbus ObjectServer again based on the same filter as the reader or a different one to check if there are older events within a threshold and how many they are.

The scenario uses a simple X in Y correlation example. Where X is the number of events that occurred in a specified time window threshold Y, for example 50 events in the past 120 seconds.

This specific scenario focuses on an IBM Tivoli Monitoring Tivoli Enterprise Monitoring Server that sends a flood of events that are tagged as MS_Offline. MS_Offline events are sent when the Tivoli Enterprise Monitoring Server agents detect that servers are down or restarted. For example, if IBM Tivoli Monitoring Tivoli Enterprise Monitoring Server sends 3 events per second per agent for 5 agents until the agents are responsive, it would result in:

3 events * 5 * (5*60 seconds) = 4500 events in 5 minutes.

Because the 4500 events are coming from the same source, they should be correlated by either updating the new incoming event or deleting them. In this example, the events are updated.

IBM Tivoli Monitoring Tivoli Enterprise Monitoring Server sends events to the OMNIbus ObjectServer table with updated fields such as:

• Summary Like 'MS_Offline',
• ITMHostname='TEMS hostname',
• Agent = 'ITM'

The fields are used to query the ObjectServer.

This particular scenario is using a standard Netcool/Impact policy and an OMNIbus ObjectServer Event Reader service for Version 5.x and up.