Overriding the getdate function in rules files
Use this workaround if at least one probe in your environment is set to circular store-and-forward mode, and each probe in the environment sets the LastOccurrence value to the epoch time.
This behavior occurs if the rules file contains the following syntax:
@LastOccurrence = getdate
About this task
If the rules file sets the LastOccurrence value to the epoch time, events might be assigned inconsistent LastOccurrence values and ProbeSubSecondId values, after the events are processed. This is because the ProbeSubSecondId value is set to the value of LastOccurrence before the rules file is processed.
The following example shows three events that are received over one second. For brevity, the previous 122 events that arrived in the same second are not shown. For illustrative purposes, the events are numbered.
[1] LastOccurrence=10000001, ProbeSubSecondId=123
[2] LastOccurrence=10000001, ProbeSubSecondId=124
[3] LastOccurrence=10000002, ProbeSubSecondId=0
The epoch time changes to 10000002 while event 2 is being processed by the rules file. The LastOccurrence value is adjusted, but the ProbeSubSecondId value is not. The ProbeSubSecondId value that was set before rules file processing is retained. As a result, the LastOccurrence value of event 2 greater than event 1, but the ProbeSubSecondId value is greater than event 3 and any subsequent events. The LastOccurrence values and the ProbeSubSecondId values of these three sample events, before and after processing by the rules file, are shown in the following table.
Event | Event before processing by the rules file | Event after processing by the rules file |
---|---|---|
1 | LastOccurrence=10000001, ProbeSubSecondId=123 |
LastOccurrence=10000001, ProbeSubSecondId=123 |
2 | LastOccurrence=10000001, ProbeSubSecondId=124 |
LastOccurrence=10000002, ProbeSubSecondId=124 |
3 | LastOccurrence=10000002, ProbeSubSecondId=0 |
LastOccurrence=10000002, ProbeSubSecondId=0 |
If event 3, or any subsequent events that are processed by the probe, deduplicate with event 2, the deduplication trigger, the reinsert is cancelled.
Procedure
To resolve this problem:
What to do next
If you also use the genevent() function to generate new events, then you need to give further consideration to the value of ProbeSubSecondId. If you want events that are generated by the genevent() function to be handled by the same rules as other events, you need to manually assign a ProbeSubSecondId value to genevent() events.
Because genevent() events are sent to the ObjectServer immediately at the point that the genevent() section of the rules file is processed, the genevent() event is sent before the actual event (the actual event is sent only after rules file processing is complete). Consequently, you need to assign a ProbeSubSecondId to the genevent() and then increment the ProbeSubSecondId counter before the rules file completes processing and a ProbeSubSecondId value is assigned to the actual event.
To implement this behavior, put the include to pssi.include in the rules file before each call to genevent(), so that the syntax reads as follows:
include "path/pssi.include"
genevent( target )
If the target table for genevent() does not contain the LastOccurrence or ProbeSubSecondId fields, this include has no effect.
If a field list is provided to the genevent() call, and the target contains LastOccurrence or ProbeSubSecondId fields then specify these fields in the genevent() call, for example:
include "path/pssi.include"
genevent( target, Identifier, $Identifier, ... , LastOccurrence,
@LastOccurrence, ProbeSubSecondId, @ProbeSubSecondId )
Specifying the fields ensures that the values are provided and recorded in case of failover or failback, and the circular store-and-forward file is replayed.