I wonder how to achieve alert correlation (or is it deduplication if incoming from the same data source?) inside an alert queue. We have UIM integrated using snmpgtw sending traps to SNMP Connector. Every incoming trap creates a new alert, resulting in a storm of duplicate alerts from the same hosts with the same messages
in this case you should adopt the connector policy to make the criteria for "similar alarm" more generic.
It looks like your policy creates a new id for every alarm, and thus you see all of them as new ones, rather than updates to already existing alarms.
The MdrElementID of the Alarm is the key for this. It has to be constructed to avoid the problem you mention.
Thus, don't use unique numbers or the complete message as ID, but something that makes it sufficiently unique to not merge with "different" alarms, but to still map to the same alarm when an update comes.
And related to this:
Why don't you use the GA Connector for UIM?
Thanks for explaining Michael.
We already found out that everything works as designed, because every alert sent from UIM has a different ID, that's the reason why they didn't correlate. On the other hand we found out that we were not receiving clear alerts, after fixing this we managed to stop the storm in SOI (I'm aware that there's still a lot of incoming traps, but this needs to be resolved as close to the source of alerts as possible - UIM/robots).
As to why the architectural design is using SNMP connector instead of UIM connector is unknown to me ATM.
thanks for marking the answer as "correct".
If you need any further help in this, please contact me directly on Michael.Boehm@ca.com.
I was the person having developed the initial package of integrating UIM and SOI via SNMP Connector and since then the SNMP and UIM Connectors are my special areas.