Setting event patterns to identify at least two related events

By default, Event Analytics creates synthetic events where only one event in the pattern has been discovered. For many customers, this is counter-intuitive as users do not expect to see a group made up of a single event. Use this configuration procedure to force patterns to create synthetic parents with at least two events.

  1. Log in to the Impact Server.
  2. Go to the following location:
    $IMPACT_HOME/add-ons/RelatedEvents/db
  3. Locate the following SQL file in this directory and set the GroupEventCount variable to define how many events occur before a new parent synthetic event is created to group events.
    supress_synthetic_objectserver.sql
  4. Run the supress_synthetic_objectserver.sql file on the primary and secondary ObjectServers.
    $OMNIHOME/bin/nco_sql -server server_name -user username -password password < $IMPACT_HOME/add-ons/RelatedEvents/db/supress_synthetic_objectserver.sql
    • The username value is the administrative user for the ObjectServer, usually root.
    • The password value is the password for the administrative user.
    • The server_name value is the name of your primary ObjectServer.
    Note: The following error might occur on subsequent runs of this SQL file. You can safely ignore the error.
    ERROR=Object exists on line 6 of statement 'CREATE TABLE alerts.correlation_count PERSISTENT...', at or near 'correlation_count'
  5. Export the configuration by running the following command:
    ./nci_trigger NCI impactadmin/impactpass NOI_DefaultValues_Export FILENAME $IMPACT_HOME/tmp/ea_defaults_configuration.txt
  6. Modify the exported configuration by setting the following property: suppress_synthetic_events=true
  7. Save the file.
  8. Import the file by running the following command:
    ./nci_trigger NCI impactadmin/impactpass NOI_DefaultValues_Configure FILENAME $IMPACT_HOME/tmp/ea_defaults_configuration.txt
  9. Restart the Impact Server.