By default, Event
Analytics
creates synthetic events where only one event in the pattern has been discovered. For many
customers, this is counter-intuitive as users do not expect to see a group made up of a single
event. Use this configuration procedure to force patterns to create synthetic parents with at least
two events.
-
Log in to the Impact
Server.
- Go to the following location:
$IMPACT_HOME/add-ons/RelatedEvents/db
- Locate the following SQL file in this directory and set the
GroupEventCount variable to define how many events occur before a new parent
synthetic event is created to group events.
supress_synthetic_objectserver.sql
- Run the
supress_synthetic_objectserver.sql
file on the primary and
secondary ObjectServers.
$OMNIHOME/bin/nco_sql -server server_name -user username -password password < $IMPACT_HOME/add-ons/RelatedEvents/db/supress_synthetic_objectserver.sql
- The username value is the administrative user for the ObjectServer, usually root.
- The password value is the password for the administrative user.
- The server_name value is the name of your primary ObjectServer.
Note: The following error might occur on subsequent runs of this SQL file. You can safely ignore the error.
ERROR=Object exists on line 6 of statement 'CREATE TABLE alerts.correlation_count PERSISTENT...', at or near 'correlation_count'
- Export the configuration by running the following command:
./nci_trigger NCI impactadmin/impactpass NOI_DefaultValues_Export FILENAME $IMPACT_HOME/tmp/ea_defaults_configuration.txt
- Modify the exported configuration by setting the following property:
suppress_synthetic_events=true
- Save the file.
- Import the file by running the following command:
./nci_trigger NCI impactadmin/impactpass NOI_DefaultValues_Configure FILENAME $IMPACT_HOME/tmp/ea_defaults_configuration.txt
- Restart the Impact
Server.