DX Unified Infrastructure Management

Example A: Splunk can look for "Event A" across multiple hosts and if this event is found on more than one host within a time range, one alert notification is generated to the business unit.

Example B: UIM logmon or ntevl for example are deployed to multiple hosts and configured to monitor for "Event A", when found a unique alert is generated for each and every host for which "Event A" was found on.  Problem: unable to combine those alerts and generate one alarm in their place.

Is there a way to combine alarms into one alarm?  I don't see a way in UIM to do this based on how alarms are generated and processed.  I may not have thought of all UIM's capabilities. Maybe there is a another CA/Broadcom product that can do this? 

At this time I think my only option in this situation is to allow Splunk to perform this task and generate a single alarm to UIM through an SNMP integration.

Thoughts?

Outside of Splunk, you should be able to do this via nas triggers and create a new (single) alarm.

I could add a trigger for each host.  The concern I have is my AO trigger options are AND or OR and do not include a time range.

- AND meaning all Selected Triggers must match.  This would mean triggers for all 20 hosts would need to match.

- OR meaning any one of the Selected Triggers must match.  This would mean only one host needs to match.  There appears to be no time range option to limit this from triggering for every individual alarm that comes in for example 1m apart.

Despite whether or not the trigger(s) may fire, you do have some control over when a new alarm can be generated by using a defined operating period or schedule (by time).

If you are going to send your alarm as a trap, why not send it to Spectrum instead of UIM?  Then you can use some of Spectrum’s alarm and event correlation capabilities to handle that…

Chris

CA Communities <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunities.ca.com%2F%3Fet%3Dwatches.email.thread&data=02%7C01%7Cchris.knowles%40railinc.com%7C2dbf4e3db26942af5b8408d6ccc9615c%7C6fb035cb817d4fd589a99a3549a94085%7C0%7C0%7C636921562631209944&sdata=aAL%2FCKSqVZt5C10fMcWYbRstDeaYJr4wFB%2Fa0OERP%2Fg%3D&reserved=0>

Multiple alarms to one alarm?

created by cduryea<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunities.ca.com%2Fpeople%2Fcduryea%3Fet%3Dwatches.email.thread&data=02%7C01%7Cchris.knowles%40railinc.com%7C2dbf4e3db26942af5b8408d6ccc9615c%7C6fb035cb817d4fd589a99a3549a94085%7C0%7C0%7C636921562631219961&sdata=qLOrWbcRtNlA8HFrfUa2fSve1pvQcE%2FIvMEp0Nxyn1Q%3D&reserved=0> in CA Unified Infrastructure Management - View the full discussion<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunities.ca.com%2Fmessage%2F242174388-multiple-alarms-to-one-alarm%3Fet%3Dwatches.email.thread&data=02%7C01%7Cchris.knowles%40railinc.com%7C2dbf4e3db26942af5b8408d6ccc9615c%7C6fb035cb817d4fd589a99a3549a94085%7C0%7C0%7C636921562631229969&sdata=7urT9EpDcOjmE%2FVfWi6ZaPGEnIefHxojfeGOsVppFiU%3D&reserved=0>

Alarms are coming from probes not traps.  But they still go to Spectrum from UIM, true the correlation engine in Spectrum could still be used.

Been a long time since I used Spectrum correlations, I don't recall it having a time range option. I'll have to dig back into it.  I may still run into an issue with alarms within a time-range.  That's the caveat that Splunk is better at due to the collect, centrally store, then periodically analyze method of operating.