|
|
|
|
Event deduplication allows you to consolidate duplicate SNMP trap & log messages and threshold violation events received from a managed resource within a fixed amount of time. If Traverse receives a duplicate event within this interval, the subsequent messages are not displayed in the Event Manager. Instead, the Event Manager displays the number of occurrences of the event and the time of the newest and oldest events. When Traverse receives another instance of the event outside of the interval, it is considered a new event, so it is displayed and a new duplicate event interval starts. You configure the de-duplication for threshold violation events in the dge.xml file, and for traps, logs and other messages in the corresponding message-handler configuration.
Threshold Violation Event Deduplication Configuration
For threshold violation events, the event de-duplication interval and expiration time for threshold violation events can be configured in the etc/dge.xml file as follows:
<message-handler>
<duplicateEventCycle>5</duplicateEventCycle> <!-- number of polling cycles -->
<eventExpiration>1800</eventExpiration> <!-- seconds; 0 means as soon as state changes -->
</message-handler>
duplicateEventCycle parameter determines the number of polling cycles for de-duplication. Any threshold violation event received within x cycles of the last event are deduplicated. For example, if a test runs every 1 minute and goes into a "warning" state, and then goes into a "critical" state after 3 minutes, it is deduplicated into a single event in the Event Manager because the "critical" event happened (using the example value above) within 5 polling cycles (or minutes).eventExpiration is the expiration time for older threshold violation events. The latest threshold violation event always remains visible in the Event Manager (unless you acknowledge or hide the event). However, any older events (de-duplicated or otherwise) automatically expire (using the example value above) after 30 minutes (or 1800 seconds).Example
In the default configuration, threshold violation events within 5x polling interval are de-duplicated (and the eventExpiration is set to 0s). In other words, if CPU test on server1 is configured to run every 5 minute and it goes to critical at 10:15am, if it drops back to ok at 10:30am, it will be grouped with the previous event because it happened within the 25 minute window of the first event. In this case, the previous (critical) event will be automatically cleared immediately (eventExpiration = 0 seconds). If you change the setting to <eventExpiration>1800</eventExpiration>, then the previous events will remain in view for 30 minutes even after the alarm has cleared.
Messages & Traps Deduplication Configuration
Each message source has its own configuration file, located in the etc/messages/<type>/ directory, and named beginning with the string "00_src".
The SNMP trap configuration file is etc/messages/snmp/00_src_snmp_trap.xml and can be configured as follows:
<message-handler>
<source type="trap" name="162">
<enabled>true</enabled>
<duplicateEventInterval>1800</duplicateEventInterval> <!-- number of seconds -->
<logunmatched>true</logunmatched>
<port>162</port>
<performHostnameLookup>false</performHostnameLookup>
</source>
</message-handler>
The duplicateEventInterval parameter determines the number of seconds in the deduplication interval for messages from this source.