About the pivot event and the parent event
There are two special events in a related events group: the pivot event, and the parent event.
- Pivot event
-
The pivot event is the probable root cause event for the related events group. It is determined based on a calculation performed on the actionable aggregate columns in all of the events in the group.
- Parent event
-
The parent event of a group is the event whose values will be used in the synthetic parent event in the Event Viewer.
- Neither of these events can be removed from the group. See Removing an event from a related events group.
- You can modify the choice of pivot event and of the event whose values are used in the synthetic parent event. See Changing the pivot event and Selecting a parent event for a correlation rule.
Pivot event
The pivot event is the probable root cause event for the related events group. It is determined based on a calculation performed on the actionable aggregate columns in all of the events in the group.
-
- Severity
- To display the maximum severity for each the events that make up a related event group, the Severity field is selected as an aggregate field in the Event Analytics configuration wizard, and then the Max aggregate function is applied to this field.
-
- Acknowledged
- To display the count of how many times a given event in a related event group was acknowledged, the Acknowledged field is selected as an aggregate field in the Event Analytics configuration wizard, and then the Non-Blank Count aggregate function is applied to this field.
For each of the events in a related event group, the count of the actions on each of the actionable fields in an event is added up, and the event that contains a field with the highest count across all of the events in the event group instances, is set as the probable cause event, and therefore as the pivot event for the group.
- Event A
172.27.1.1 Optical Chassis Normal temperature notification
- Event B
172.27.1.1 Optical Chassis Low temperature notification
- Event C
172.27.1.1 Health Manager Detects Status Changes to Degraded
172.27.1.1 Optical Chassis Low temperature
notification
, which is Event B. Event
Analytics adds up the count
values for the Acknowledged field for each of the three events. It determines that the event with
Event B has a count of 5, while the other events have a count of 0. Therefore Event B is set as the
pivot event.Parent event
The parent event of a group is the event whose values will be used in the synthetic parent event in the Event Viewer.