About the pivot event and the parent event

There are two special events in a related events group: the pivot event, and the parent event.

Pivot event

The pivot event is the probable root cause event for the related events group. It is determined based on a calculation performed on the actionable aggregate columns in all of the events in the group.

Parent event

The parent event of a group is the event whose values will be used in the synthetic parent event in the Event Viewer.

Note: When a group is first formed, the parent event and the pivot event are the same.
Note the following important information about actions that can be performed on these events:

Pivot event

The pivot event is the probable root cause event for the related events group. It is determined based on a calculation performed on the actionable aggregate columns in all of the events in the group.

Aggregate fields are defined in the Event Analytics configuration wizard, as described in Configuring Event Analytics using the wizard. You can add aggregate fields to the seasonal and related event reports, by applying predefined aggregate functions to selected fields from the Historical Event Database. Examples of aggregate fields in a related event group are as follows:
  • Severity
    To display the maximum severity for each the events that make up a related event group, the Severity field is selected as an aggregate field in the Event Analytics configuration wizard, and then the Max aggregate function is applied to this field.
  • Acknowledged
    To display the count of how many times a given event in a related event group was acknowledged, the Acknowledged field is selected as an aggregate field in the Event Analytics configuration wizard, and then the Non-Blank Count aggregate function is applied to this field.
In addition, the Acknowledged field is an actionable field, because the Operator can take action on the event by acknowledging it. The Acknowledged field is marked as an actionable field in the Event Analytics configuration wizard by clicking the Actionable check box associated with the field.

For each of the events in a related event group, the count of the actions on each of the actionable fields in an event is added up, and the event that contains a field with the highest count across all of the events in the event group instances, is set as the probable cause event, and therefore as the pivot event for the group.

For example, assume Event Analytics detects a related event group made up of events with the following summaries:
Event A
172.27.1.1 Optical Chassis Normal temperature notification
Event B
172.27.1.1 Optical Chassis Low temperature notification
Event C
172.27.1.1 Health Manager Detects Status Changes to Degraded
Now assume that five instances of this group are detected. In each instance, the Operator acknowledged the event with summary 172.27.1.1 Optical Chassis Low temperature notification, which is Event B. Event Analytics adds up the count values for the Acknowledged field for each of the three events. It determines that the event with Event B has a count of 5, while the other events have a count of 0. Therefore Event B is set as the pivot event.

Parent event

The parent event of a group is the event whose values will be used in the synthetic parent event in the Event Viewer.

When a related event group is deployed as rule, then this rule acts on the live event stream in the following way: when events that correspond to events in the group occur in the live stream, these events are grouped together under a synthetic parent event in the Event Viewer. This synthetic parent event contains the values from one of the selected events in the related event group.
Note: This selection of parent synthetic event is only applicable when deploying event groups as rules, independently of event group patterns.