Selecting a parent event for a correlation rule

You can select the parent event for the correlation rule

About this task

When you select the parent event for the correlation rule, the selected event becomes a parent event. A parent synthetic event is created with some of the properties from the parent event and a parent-child relationship is created between the parent synthetic event and the related events. When these events occur in a live environment, they display in the Event Viewer within a group as child events of the parent synthetic event.
Note: This selection of parent synthetic event is only applicable when deploying event groups as rules, independently of event group patterns.

To select the parent event for the correlation rule, complete the following steps. If you want to see automated suggestions about the parent event for a group, see configuration details in Adding columns to seasonal and related event reports.

Procedure

  1. View all events that form a correlation rule, see Viewing events that form a correlation rule
  2. In the Related Event Details portlet, within the Correlation Rule tab, right-click an event and select Use Values in Parent Synthetic Event.

Results

The table in the Correlation Rule tab refreshes and the Use Values in Parent Synthetic Event column for the selected event updates to Yes, which indicates this event is now the parent event.

For a related events group, if all of the children of a parent synthetic event are cleared in the Event Viewer, then the parent synthetic event is also cleared in the Event Viewer. If another related event comes in for that same group, the parent synthetic event either reopens or re-creates in the Event Viewer, depending on the status of the parent synthetic event.