Watching a correlation rule

You can watch a correlation rule and monitor the rule performance before you deploy the rule for the rule to correlate live data.

Before you begin

Complete your review of the related events and the parent event that form the correlation rule. If necessary, change the correlation rule or related events configuration.

About this task

When you are happy with the correlation rule, you can choose to Watch the correlation rule.
When you choose to Watch the correlation rule, the rule moves out of its existing tab and into the Watched tab within the View Related Events portlet. While the rule is in Watched, the rule is not creating synthetic events or correlating but does record performance statistics. You can check the rule's performance before you deploy the rule for the rule to correlate live data.
Note: On rerun of a related events configuration scan, a warning message is displayed if any new groups are discovered that conflict with groups on which an existing watched rule is based.
  • Click OK to accept the warning and continue watching the existing rule. The new groups are ignored.
  • Click Cancel to ignore the warning and replace the existing watched rule with a new rule based on the newly discovered group.
Note: any NEW groups which conflict with existing non-NEW groupsany already existing patterns cannot be edited. Only newly discovered patterns can be edited.
Complete the following steps to Watch the correlation rule.

Procedure

  • Within the View Related Events portlet, perform the following steps:
    1. View related events by group, see Viewing related events by group.
    2. In the View Related Events portlet, within the group table, select either a related events group or a related events configuration and right-click. A menu is displayed.
    3. From the menu, select Watch.
  • Within the Related Event Details portlet for a group or an event, perform the following steps:
    1. View related events or related event groups, see Viewing related events and Viewing related events by group.
    2. Select an event or a related events group.
      • In the View Related Events portlet, within the group table, select a related events group and right-click. A menu is displayed.
      • In the View Related Events portlet, within the event table, select an event and right-click. A menu is displayed.
    3. From the menu, select Show Details. The Related Event Details portlet opens.
    4. In the Related Event Details portlet, within any tab, select Watch.

Results

The rule displays in the Watched tab.

What to do next

Within the Watched tab, monitor the performance statistics for the rule. When you are happy with the performance statistics consider Deploying a correlation rule.