Event Correlation and Parent and Child Events

Download this manual as a PDF file

This section describes Topology Events, which is also called Event Correlation.

Use the following menu options to navigate the SL1 user interface:

  • To view a pop-out list of menu options, click the menu icon ().
  • To view a page containing all of the menu options, click the Advanced menu icon ().

Event Correlation

In SL1, there are four types of events that might not appear on the Events page (or the Event Console page in the classic SL1 user interface):

  • Rolled-up events. Multiple occurrences of the same event on the same device. When the same event occurs multiple times on a single device, SL1 does not display each occurrence on the Events page (or the Event Console page in the classic SL1 user interface). Instead, SL1 displays a single entry and notes the number of occurrences in the Count column.
  • Suppressed Events. Suppressed events do not appear on the Events page (or the Event Console page in the classic SL1 user interface). For details on suppressing events for a single device, see the section on Suppressing Events.
  • Topology Events. In SL1, event correlation or topology suppression means the ability to build parent-child relationships between devices and between events. When events are correlated, only the parent event is displayed on the Events page (or the Event Console page in the classic SL1 user interface). The magnifying-glass icon () appears to the left of the parent event. When you click on the magnifying-glass icon, the list of child events is displayed. The child events are rolled up under the parent event and are not displayed on the Events page (or the Event Console page in the classic SL1 user interface). For the parent event, the count column will be incremented to indicate the number of correlated child events. Optionally, you can define event categories that allow SL1 to more efficiently align suppressing events with suppressible events. When you align an event category to a suppressing or suppressible event, that event will be correlated with only events that are aligned with the same event category.
  • Event Masks. When a device uses the Event Mask setting, events that occur on a single device within a specified span of time are grouped together. On the Events page (or the Event Console page in the classic SL1 user interface), masked events are displayed under a single event, the one with the highest severity. For details on events masks, see the section on Event Masks.

This section describes Topology Events, also called Event Correlation.

SL1 performs two types of event correlation:

  • Automatic Event Correlation. During discovery, SL1 automatically discovers and defines parent-child relationships between devices.
  • Manual Event Correlation. In SL1, you can configure devices and events so that events that are associated with child devices will be rolled-up under the parent device's events on the Events page (or the Event Console page in the classic SL1 user interface). For example, suppose a switch fails. Instead of seeing an event for the failed switch and seeing events about failed communication for each device connected to the switch, only a single event would appear on the Events page (or the Event Console page in the classic SL1 user interface). The single event would describe the switch failure. When you manually define a hierarchy between events, you can also include an event category. An event category allows SL1 to more efficiently align suppressing events with suppressible events.

To manually define event correlation, you must perform two tasks:

  • Define parent and child devices. SL1 does this automatically when it discovers Layer-2, CDP, LLDP, Layer-3, and VMware topology. For example, if SL1 automatically discovers a switch and its clients, SL1 automatically defines the switch as the parent device and its clients as the children devices. You can also do this manually when you create Layer-2 Links, Layer-3 Links, CDP Links, LLDP Links, or Event Correlation Override links in the Maps > Classic Maps >Topology Mapspages or the Maps > Classic Maps > My Customized Maps pages. For more information about creating parent-child relationships in views, see the section on Topology Views.
  • Define a hierarchy between events—that is, define parent events (called suppressing events) and child events (called suppressible events).

This section describes the required tasks for manual event correlation.

Defining Parent and Child Devices

The Device Children modal page allows users to select one or more devices to become children of the currently selected device.

To add children to a device:

  1. Go to the Device Manager page (Devices > Device Manager).

  2. In the Device Manager page, select the wrench icon () for the device for which you want to add children devices. The Device Properties page appears:

    You cannot create parent-child relationships for devices with a Device Category of Virtual.

  3. In the Device Properties page, in the Actions drop-down list, select Device Children. The Device Children modal appears.
  4. In the Device Children modal, select one or more devices to be children of the current device.
  5. Click Save.

Device Categories that Don't Support Child Devices

A device category is a logical categorization of a device by primary function. SL1 uses device categories to group related devices in reports and views.

Device categories are paired with device classes to organize and describe discovered devices. The device class usually describes the manufacturer and model of a device. The device category describes the function of the hardware.

Devices that are members of the following device categories cannot be assigned child devices:

  • Office Printers, Device Category #4
  • Workstations, Device Category #6
  • Environmental.Utility, Device Category #8
  • Environmental.HVAC, Device Category #9
  • Environmental.Security, Device Category #10
  • System.Tape, Device Category #17
  • Office.Copiers, Device Category #22
  • Office.Facsimiles, Device Category #23
  • Telephony.Phone, Device Category #36
  • Office.Plotter, Device Category #40
  • Pingable, Device Category #98
  • Virtual, Device Category #97

To determine a device's device category, look at the Category field on the Info menu of the Device Investigator page.

Defining Event Topology Masking and Suppression

Topology masking, also referred to as topology suppression, is a setting that defines the rules that SL1 uses to determine event correlation and suppression when events occur on devices that have a parent/child relationship.

SL1 automatically defines parent/child relationships when it discovers Layer-2, CDP, LLDP, Layer-3, and VMware topology. You can also manually define parent/child relationships between devices.

For event correlation to occur, two types of event policies must be defined: masking events and maskable events.

  • Masking events. If this type of event occurs on a parent device, SL1 will search all related child devices for maskable events. On the child devices, all maskable events will be masked. Only the masking event will appear on the Events page; the maskable events will be nested under the parent event.
  • Maskable events. This type of event is masked on a child device only when a masking event occurs on the parent device.

If you configure an event policy to be both masking and maskable, then if the event occurs on a parent device, it behaves as a masked event. If the event occurs on a child device, it behaves as a maskable event.

When a device uses the event masking setting, events that occur on a single device within a specified timespan are grouped together. On the Events page (or the Event Console page in the classic SL1 user interface), masked events are displayed under a single event, the one with the highest severity.

For more information about how to define an event as masking or maskable, see the section on The Event Message Tab.

Defining Event Topology Suppression in the Classic SL1 User Interface

To manually configure event correlation in the classic SL1 user interface, you must define two types of events:

  • Suppressing events. If this event occurs on a parent device, SL1 will search all related children devices for suppressible events. On the children devices, all suppressible events will be suppressed. Only the suppressing event will appear in the Events page (or the Event Console page in the classic SL1 user interface) . The suppressible events will not appear in the Events page (or the Event Console page in the classic SL1 user interface) .
  • Suppressible events. This type of event is suppressed on a child device only when a suppressing event occurs on the parent device.

NOTE: If you configure event categories, the suppressing and suppressible events must be associated with the same category for correlation to occur. If you do not configure event categories, each and every suppressing event that occurs on a parent device will cause SL1 to suppress all suppressible events on the associated children devices.

To define an event as a suppressing event on the Event Policy Manager page in the classic SL1 user interface):

  1. Go to the Event Policy Manager page (Registry > Events > Event Manager.
  2. On the Event Policy Manager page, click the wrench icon () of the event that you want to define as the suppressing event. The Event Policy Editor page appears.
  3. On the Event Policy Editor page, click the Advanced tab.

  1. In the Topology Suppression field, select Suppressing.
  2. Click Save. In the future, when this event occurs on a device, SL1 will check if the device is a parent device. If the device is a parent device, specified events (suppressible events) with the same category will be suppressed on the children devices.

To define an event as a suppressible event on the Event Policy Manager page in the classic SL1 user interface:

  1. Go to the Event Policy Manager page (Registry > Events > Event Manager).
  2. On the Event Policy Manager page , click the wrench icon () of the event that you want to define as the Suppressible event. The Event Policy Editor page appears.
  3. On the Event Policy Editor page, click the Advanced tab.

  1. In the Topology Suppression field, select Suppressible.
  2. Click Save. In the future, when this event occurs on a device, SL1 will check if the device is a child device. If the device is a child device, SL1 will check to see if a suppressing event with the same category has occurred on the parent device. If a suppressing event has occurred on the parent device, the specified event will be suppressed on the child device.

Example: Child Event Suppression

For example, suppose you have the following devices and event policies defined:

  • A parent device, a Cisco Catalyst switch named Boise-DMZ.
  • A child device to Boise-DMZ, a server named HQ-W2K3-VC01.
  • An event policy, "Poller: Interface operationally down", defined as a suppressing event.
  • A second event policy, "Poller: Device not responding", defined as a suppressible event.
  • Both events are associated with the same event category.

In this scenario, if an interface goes down on the switch Boise-DMZ, SL1 will not be able to communicate with the server, HQ-W2K3-VC01, attached to the switch.

With the above defined event topology suppression:

  • The event "Poller: Interface operationally down" occurs on Boise-DMZ.
  • The event "Poller: Device not responding" is suppressed on the server HQ-W2K3-VC01.
  • On the Events page (or the Event Console page in the classic SL1 user interface), the only event that would appear in this scenario will be the event "Poller: Interface operationally down" on the device Boise-DMZ.

Event Categories

Event categories allow SL1 to more efficiently align masking or suppressing events. When you align an event category to a masking or maskable event, that event will be correlated only with events that are aligned with the same event category. An event can be aligned to multiple event categories; for event correlation to occur, the masking event and the maskable event must both be aligned with a common event category.

NOTE: This section uses the terms "masking" and "maskable" for simplicity's sake, but these terms are interchangeable with "suppressing" and "suppressible". "Masking" and "maskable" are used in the unified SL1 user interface, while "suppressing" and "suppressible" are used in the classic SL1 user interface.

Before defining masking events and maskable events, you can define event categories to streamline event masking.

  • If you do not define any event categories, then if a masking event occurs on a parent device, SL1 will search all related child devices for maskable events. On each child device, each occurrence of any event defined as maskable will be masked. Only the masking event and the parent device will appear on the Events page (or the Event Console page in the classic SL1 user interface). The maskable events will be nested under the masking event and will not be displayed by default. For example:
  • Suppose you have a parent device that is a chassis and a child device that is a blade.
  • Suppose you define two masking events: one for when SL1 can't collect data with a Dynamic Application (Dynamic App Collection Problem) and one for when a fan fails (Fan critical).
  • Suppose you define three maskable events: one for when collection with a Dynamic Application times out (Dynamic Application taking too long to collect), one for when a device exceeds the recommended temperature (Temperature critical), and one for when a device is not available via SNMP (Availability check failed).
  • Suppose on the parent device (the chassis), the masking event "Dynamic App Collection Problem" occurs.
  • SL1 will search for all child devices associated with the chassis and then search for all maskable events.
  • Suppose on the child device (the blade), two maskable events occur: "Temperature Critical" and "Availability Check Failed".
  • On the Events page (or the Event Console page in the classic SL1 user interface), SL1 will nest these two maskable events under the parent event, even though there is no relationship between the parent event and the child events.

  • However, if you do define event categories and align those event categories to masking or maskable events, then those events will be correlated only with events that are aligned with the same event category. For example:
  • Suppose we define two event categories: "Environment.Temperature" and "Dynamic Applications.Collection".
  • Suppose you have a parent device that is a chassis and a child device that is a blade.
  • Suppose you define two masking events: one for when SL1 can't collect data with a Dynamic Application (Dynamic App Collection Problem) and one for when a fan fails (Fan critical).
  • Suppose you define three maskable events: one for when collection for a Dynamic Application is timing out (Dynamic Application taking too long to collect), one for when a device exceeds the recommended temperature (Temperature critical), and one for when a device is not available via SNMP (Availability check failed).
  • Suppose when you define each event as masking or maskable, you align event categories like this:

Event Name Event Hierarchy Event Category
Dynamic App Collection Problem masking Dynamic Applications.Collection
Dynamic Application taking too long to collect maskable Dynamic Applications.Collection
Availability check failed maskable Dynamic Applications.Collection
Fan critical masking Environment.Temperature
Temperature critical maskable Environment.Temperature
  • Suppose on the parent device (the chassis) the masking event "Dynamic App Collection Problem" occurs.
  • SL1 will search for all child devices and then search for all maskable events that have the same event category, Dynamic Applications.Collection.
  • Suppose on the child device (the blade) two maskable events occur: "Temperature Critical" and "Dynamic Application taking too long to collect".
  • On the Events page (or the Event Console page in the classic SL1 user interface), SL1 will display the event "Dynamic Application taking too long to collect" under the parent event "Dynamic App collection problem", because both events belong to the same event category.
  • On the Events page (or the Event Console page in the classic SL1 user interface), SL1 will not nest the event "Temperature critical" under the parent event "Dynamic App collection problem", because the two events do not have the same event category.

Assigning an Event Category to an Event

For information about how to assign an event category to an event policy, see the section on The Event Message Tab.

Assigning an Event Category to an Event in the Classic SL1 User Interface

In the classic SL1 user interface, you can assign an event category to an event in the Event Policy Editor page, in the Advanced tab.

If you define an event as suppressing and assign an event category to the event, when the event occurs, SL1 will suppress only events that meet all of these criteria:

  • Occur on a child device
  • Are defined as suppressible
  • Are aligned with the same event category

If you define an event as suppressible and assign an event category to the event, when the event occurs, SL1 will suppress the event only if all the following occur:

  • The event occurs on a child device.
  • A suppressing event occurs on the parent device.
  • The suppressing event and the suppressible event are aligned with the same event category.

NOTE: If you assign an event category to an event that is neither suppressing nor suppressible, SL1 does not use the event category. The event category will have no effect.

Creating an Event Category

From the Event Category Manager page, you can define a new event category. This allows you to customize event categories to meet your business requirements.

To create an event category:

  1. Go to the Event Category Manager page (Registry > Events > Categories).
  2. In the Event Category Manager page, click the [Create] button.
  3. The Event Category Editor page is displayed. In this page, you can define a new event category. Supply a value in the following fields:

  • Category Name. The name of the event category. This can be any combination of numbers, letters, and symbols.
  • Correlation Time. You can specify an integer value of zero ("0") or greater in this field. This value can be used in custom Run Book Actions, where Action Type is Run a Snippet. For details on Run Book Actions, see the section on Run Book Actions.
  • Event Occurrence. Specifies whether Correlation Time should start after first occurrence of the event or after most recent occurrence of the event. Possible values are First or Last.
  1. Click [Save] to save your new event category.

Editing an Event Category

From the Event Category Manager page, you can edit the definition of an event category. This allows you to adjust or customize an existing category to meet your business requirements.

To edit an event category:

  1. Go to the Event Category Manager page (Events > Categories).
  2. In the Event Category Manager page, click the wrench icon () of the event category you want to edit.
  3. The Event Category Editor page is displayed.
  4. In the Event Category Editor, you can edit the following fields:

  • Category Name. The name of the event category. This can be any combination of numbers, letters, and symbols.
  • Correlation Time. You can specify an integer value of zero ("0") or greater in this field. This value can be used in custom Run Book Actions, where Action Type is Run a Snippet. For details on Run Book Actions, see the section on Run Book Actions.
  • Event Occurrence. Specifies whether Correlation Time should start after first occurrence of the event or after most recent occurrence of the event. Possible values are First or Last.
  1. Click [Save] to save your changes.
  2. You can also click [Save As] to save your changes as a new event category with a different name.

Viewing the List of Event Categories

The Event Category Manager page (Events > Categories) displays the following about each event category:

To sort the list of event categories, click on a column heading. The list will be sorted by the column value, in ascending order. To sort by descending order, click the column heading again. The Last Edited column sorts by descending order on the first click; to sort by ascending order, click the column heading again.

  • Event Category Name. The name of the event category.
  • Event Count. Number of events that are aligned with the event category.
  • ID. Unique numeric ID for the event category, generated by SL1.
  • Correlation Time. You can specify an integer value of zero ("0") or greater in this field. This value can be used in custom Run Book Actions, where Action Type is Run a Snippet. For details on Run Book Actions, see the section on Run Book Actions.
  • Event Occurrence. Specifies whether Correlation Time should start after first occurrence of the event or after most recent occurrence of the event. Possible values are First or Last.
  • Edited By. Name of the user who created or last edited the event category.
  • Last Edited. Date and time the event category was created, imported into SL1, or last edited.

Filtering the List of Event Categories

The Filter-While-You-Type fields appear as a row of blank fields at the top of the list. These fields let you filter the items that appear in the list.

The list is dynamically updated as you select each filter. For each filter, you must make a selection from a drop-down menu or type text to match against. SL1 will search for entries that match the text, including partial matches. Text matches are not case-sensitive, and you can use special characters in each text field.

By default, the cursor is placed in the first Filter-While-You-Type field. You can use the <Tab> key or your mouse to move your cursor through the fields.

You can filter by one or more of the following parameters. Only items that meet all of the filter criteria are displayed on the page.

The following describes each filter on the Event Category Manager page:

  • Event Category Name. You can enter text to match, including special characters, and the Event Category Manager page will display only event categories that have a matching category name.
  • Event Count. You can enter text to match, including special characters, and the Event Category Manager page will display only event categories that have a matching event count.
  • ID. You can enter text to match, including special characters, and the Event Category Manager page will display only event categories that have a matching event category ID.
  • Correlation Time. You can enter an integer to match, including special characters, and the Event Category Manager page will display only event categories that have a matching correlation time.
  • Event Occurrence. You can enter text to match, including special characters, and the Event Category Manager page will display only event categories that have a matching value in the Event Occurrence field.
  • Edited By. You can enter text to match, including special characters, and the Event Category Manager page will display only event categories that have been created or edited by a matching user.

  • Last Edited. Only those event categories that match all the previously selected fields and have the specified last edit date will be displayed. The choices are:
  • All. Display all event categories that match the other filters.
  • Last Minute. Display only event categories that have been created within the last minute.
  • Last Hour. Display only event categories that have been created within the last hour.
  • Last Day. Display only event categories that have been created within the last day.
  • Last Week. Display only event categories that have been created within the last week.
  • Last Month. Display only event categories that have been created within the last month.
  • Last Year. Display only event categories that have been created within the last year.

Special Characters

You can include the following special characters to filter by each column except those that display date and time:

When searching for a string, SL1 will match substrings by default, even if you do not include any special characters. For example, searching for "hel" will match both "hello" and "helicopter". When searching for a numeric value, SL1 will not match a substring unless you use a special character.

String and Numeric

  • , (comma). Specifies an "OR" operation. Works for string and numeric values. For example:

"dell, micro" matches all values that contain the string "dell" OR the string "micro".

  • & (ampersand). Specifies an "AND " operation. Works for string and numeric values. For example:

"dell & micro" matches all values that contain both the string "dell" AND the string "micro", in any order.

  • ! (exclamation point). Specifies a "not" operation. Works for string and numeric values. For example:

NOTE: You can also use the "!" character in combination with the arithmetical special characters (min-max, >, <, >=, <=, =) described below.

  • * (asterisk). Specifies a "match zero or more" operation. Works for string and numeric values. For a string, matches any string that matches the text before and after the asterisk. For a number, matches any number that contains the text. For example:

"hel*er" would match "helpers" and "helicopter" but not "hello".

"325*" would match "325", "32561", and "325000".

"*000" would match "1000", "25000", and "10500000".

  • ? (question mark). Specifies "match any one character". Works for string and numeric values. For example:

"l?ver" would match the strings "oliver", "levers", and "lover", but not "believer".

"135?" would match the numbers "1350", "1354", and "1359", but not "135" or "13502"

String

  • ^ (caret). For strings only. Specifies "match the beginning". Matches any string that begins with the specified string. For example:

"^sci" would match "scientific" and "sciencelogic", but not "conscious".

"^happy$" would match only the string "happy", with no characters before or after.

"!^micro" would match all values that do not start with "micro".

"!^$" would match all values that are not null.

"!^" would match null values.

  • $ (dollar sign). For strings only. Specifies "match the ending". Matches any string that ends with the specified string. For example:

"ter$" would match the string "renter" but not the string "terrific".

"^happy$" would match only the string "happy", with no characters before or after.

"!fer$" would match all values that do not end with "fer".

"!^$" would match all values that are not null.

"!$" would match null values.

NOTE: You can use both ^ and $ if you want to match an entire string and only that string. For example, "^tern$" would match the strings "tern" or "Tern" or "TERN"; it would not match the strings "terne" or "cistern".

Numeric

  • min-max. Matches numeric values only. Specifies any value between the minimum value and the maximum value, including the minimum and the maximum. For example:

"1-5 "would match 1, 2, 3, 4, and 5.

  • - (dash). Matches numeric values only. A "half open" range. Specifies values including the minimum and greater or including the maximum and lesser. For example:

"1-" matches 1 and greater. So would match 1, 2, 6, 345, etc.

"-5" matches 5 and less. So would match 5, 3, 1, 0, etc.

  • > (greater than). Matches numeric values only. Specifies any value "greater than". For example:

">7" would match all values greater than 7.

  • < (less than). Matches numeric values only. Specifies any value "less than". For example:

"<12" would match all values less than 12.

  • >= (greater than or equal to). Matches numeric values only. Specifies any value "greater than or equal to". For example:

"=>7" would match all values 7 and greater.

  • <= (less than or equal to). Matches numeric values only. Specifies any value "less than or equal to". For example:

"=<12" would match all values 12 and less.

  • = (equal). Matches numeric values only. For numeric values, allows you to match a negative value. For example:

"=-5 " would match "-5" instead of being evaluated as the "half open range" as described above.

Examples

  • "!dell" matches all values that do not contain the string "dell".
  • "!^micro" would match all values that do not start with "micro".
  • "!fer$" would match all values that do not end with "fer".
  • "!^$" would match all values that are not null.
  • "!^" would match null values.
  • "!$" would match null values.
  • "!*" would match null values.
  • "happy, !dell" would match values that contain "happy" OR values that do not contain "dell".
  • "aio$". Matches only text that ends with "aio".
  • "^shu". Matches only text that begins with "shu".
  • "^silo$". Matches only the text "silo", with no characters before or after.
  • "!silo". Matches only text that does not contains the characters "silo".
  • "!^silo". Matches only text that does not start with "silo".
  • "!0$". Matches only text that does not end with "0".
  • "!^silo$". Matches only text that is not the exact text "silo", with no characters before or after.
  • "!^". Matches null values, typically represented as "--" in most pages.
  • "!$". Matches null values, typically represented as "--" in most pages.
  • "!^$". Matches all text that is not null.
  • silo, !aggr". Matches text that contains the characters "silo" and also text that does not contain "aggr".
  • "silo, 02, !aggr". Matches text that contains "silo" and also text that contains "02" and also text that does not contain "aggr".
  • "silo, 02, !aggr, !01". Matches text that contains "silo" and also text that contains "02" and also text that does not contain "aggr" and also text that does not contain "01".
  • "^s*i*l*o$". Matches text that contains the letter "s", "i", "l", "o", in that order. Other letters might lie between these letters. For example "sXiXlXo" would match.
  • "!^s*i*l*o$". Matches all text that does not that contains the letter "s", "i", "l", "o", in that order. Other letters might lie between these letters. For example "sXiXlXo" would not match.
  • "!vol&!silo". Matches text that does not contain "vol" AND also does not contain "silo". For example, "volume" would match, because it contains "vol" but not "silo".
  • "!vol&02". Matches text that does not contain "vol" AND also contains "02". For example, "happy02" would match, because it does not contain "vol' and it does contain "02".
  • "aggr,!vol&02". Matches text that contains "aggr" OR text that does not contain "vol" AND also contains "02".
  • "aggr,!vol&!infra". Matches text that contains "aggr" OR text that does not contain "vol" AND does not contain "infra".
  • "*". Matches all text.
  • "!*". Matches null values, typically represented as "--" in most pages.
  • "silo". Matches text that contains "silo".
  • " !silo ". Matches text that does not contain "silo".
  • " !^silo$ ". Matches all text except the text "silo", with no characters before or after.
  • "-3,7-8,11,24,50-". Matches numbers 1, 2, 3, 7, 8, 11, 24, 50, and all numbers greater than 50.
  • "-3,7-8,11,24,50-,a". Matches numbers 1, 2, 3, 7, 8, 11, 24, 50, and all numbers greater than 50, and text that includes "a".
  • "?n". Matches text that contains any single character and the character "n". For example, this string would match "an", "bn", "cn", "1n", and "2n".
  • "n*SAN". Matches text the contains "n", zero or any number of any characters and then "SAN". For example, the string would match "nSAN", and "nhamburgerSAN".
  • "^?n*SAN$”. Matches text that begins with any single character, is following by "n", and then zero or any number of any characters, and ends in "SAN".

Deleting One or More Event Categories

From the Event Category Manager page, you can delete an event category. To do so:

NOTE: When you remove an event category, the category is also removed from any event policy with which it is aligned.

  1. Go to the Event Category Manager page (Events > Categories).
  2. In the Event Category Manager page, select the checkbox () of each event category you want to delete.
  3. In the Select Action drop-down list, select Delete these Event Categories, then click the [Go] button.
  4. Each selected event category is removed from SL1.