Event filtering and summarization
- An
SNMPEvent
attribute group is created that represents all of the SNMP Traps and informs that are sent to the agent. Traps or informs arrive asynchronously as they are sent by the monitored systems. As each event arrives, it is passed to Tivoli Monitoring. - A
Disk
attribute group is created to represent information about all of the disks on a system. The disk information is collected periodically. Each time disk information is collected, the agent returns a number of rows of data, one for each disk.
The difference between pure event and sampled attribute groups affects various aspects of Tivoli Monitoring. These aspects include: situations, warehouse data, and Tivoli Enterprise Portal views.
Each situation is assigned (or distributed) to one or more managed systems to be monitored for a specific condition of a set of conditions. When the determination of the event must be made based on observations that are made at specific intervals, the event is known as a sampled event. When the event is based on a spontaneous occurrence, the event is known as a pure event. Therefore, situations for sampled events have an interval that is associated with them, while situations for pure events do not. Another characteristic of sampled events is that the condition that caused the event can change, thus causing it to be no longer true. Pure events cannot change. Therefore, alerts that are raised for sampled events can change from true to false, while a pure event stays true when it occurs.
An example of a sampled event is number of processes >
100
. An event becomes true when the number of processes exceeds
100 and later becomes false again when this count drops to 100 or
less. A situation that monitors for invalid logon attempt
by user
is a pure event; the event occurs when an invalid
logon attempt is detected, and does not become a False event. While
you can create situations that are evaluated on a specific interval
for sampled attribute groups, such evaluations are not possible for
pure event attribute groups.
Similarly, for historical data, you can configure how frequently sampled data is collected. However, when you turn collection on for pure event data, you get each row as it happens.
The data that is displayed in the Tivoli Enterprise Portal for sampled data is the latest set of collected rows. The data that is displayed for pure event attribute groups is the contents of a local cache that is maintained by the agent. It does not necessarily match the data that is passed to Tivoli Monitoring for situation evaluation and historical collection.