Timer and counter based Rule for event 1

[wolverdean]

I am trying to figure out how to write a Timer and counter based Rule for events.

here is what I am trying to do. I have events of class TWS_Job_Abend.

one job runs every 5 minutes and I only need an event sent to the TEC if it fails 3 times consecutively. (so 15 minute window)

another job runs every 10 minutes and I only need an event sent to the TEC if it fails 6 times consecutively (so 60 minute window)

I have been fighting this for a while and can not seem to get it to work. How can I make this happen?

 

[rodneywill]

Hi wolverdean here is an example:
I hope it is readable but it is best if you copy/paste it to notepad.
It works like this:
catch the event. (If the event has a high severity you should lower the severity first with set_event_severity)
ACKnowledge the event.
count the events with add to repeatcount and set a timer with set_timer( _event, xxxx, 'timer_name') when the timer has come to an end it goes to the timer rules and check if the repeatcount is greater than 5 (repeatcount outside 0,1,2,3,4) if so set_event_severity to a higher severity and change to OPEN.
since you have diferent criteria you have to work with 2 timers.
Hope this will help

Regards Rodney

/*
-----------------------------------------------------
severity escalation rules
-----------------------------------------------------
*/
rule: ah_te_tune_tsm_05_06_rl:
(
description: 'severity escalation rule',
event: _event of_class within ['IBMBACKUP']
where [
status: equals 'OPEN',
msg_index: _msg_index within [8926],
hostname: _hostname,
sub_source: _sub_source,
sub_origin: _sub_origin
],


reception_action: ah_te_tune_tsm_05_a_ra:
(
first_duplicate( _event, event: _ah_te_tune_tsm_05_a_ra_ev
where [
status: outside ['CLOSED'],
msg_index: equals _msg_index,
hostname: equals _hostname,
sub_source: equals _sub_source,
sub_origin: equals _sub_origin
],
_event - 3600 - 3600),

add_to_repeat_count( _ah_te_tune_tsm_05_a_ra_ev, 1),
drop_received_event
),

reception_action: ah_te_tune_tsm_06_a_ra:
(
set_timer( _event, 3600, 'ah_te_tune_tsm_06_a_ra'),
set_event_status( _event, 'ACK')
)

).


/*
-------------------------------------------------------------------
escalation timer rules
-------------------------------------------------------------------
*/
timer_rule: ah_te_tune_tsm_07_rl:
(
description: 'more than 5 ANR8926W messages within 60 minutes',
event: _event of_class within ['IBMBACKUP']
where [
status: equals 'ACK',
msg_index: _msg_index within [8926],
repeat_count: outside [0,1,2,3,4]
],

timer_info: equals 'ah_te_tune_tsm_06_a_ra',


action: ah_te_tune_tsm_07_ac:
(
set_event_severity( _event, 'CRITICAL'),
change_event_status( _event, 'OPEN')
)

).

 

[wolverdean]

ok so that works like a charm ..... ty ty ty.....

now how do i tell it not to have another critical for an hour ... do i need another count and time or is there something in the current rule i can change to make it happen?

 

[wolverdean]

ok the hour thing is not needed ...but there is just one piece i am having a problem with ... here is the first of 10 rules that look the same except the job_name definitions.

The problem I am having is I need for the jobs to have their own counters... I know I can do a cut and paste and have the same rule identify each one individually ... but that seems like a waste of time and effort ... is there a way to variablize ( is that a word ...) the counter and repeat count to be the job_name ... I guess I am just used to shell scripting and using variable to make everything a little easier to view and read.

/*
-----------------------------------------------------
severity escalation rules for 10a min events
-----------------------------------------------------
*/
rule: events_10mins_a_rl:
(
description: 'severity escalation rule',
event: _event of_class within ['TWS_Job_Abend']
where [
status: equals 'OPEN',
job_name: _job_name within ['PE11DHEX','PE11NREQ','PE11SML1','PR
11DDLC','PR11DPOS','PR11REPR','PR11RIDC','PR11SDM1','PR11SDM1','PR11SWF1','PR11T
RFC','PW11GRID','PW11RDDU','PW11TRFC'],
hostname: _hostname,
sub_source: _sub_source,
sub_origin: _sub_origin
],


reception_action: events_10mins_a_ra:
(
first_duplicate( _event, event: _events_10mins_a_ev
where [
status: outside ['CLOSED'],
job_name: equals _job_name,
hostname: equals _hostname,
sub_source: equals _sub_source,
sub_origin: equals _sub_origin
],
_event - 620 - 620),

add_to_repeat_count( _events_10mins_a_ev, 1),
drop_received_event
),

reception_action: events_10mins_a_ra1:
(
set_timer( _event, 620, 'events_10mins_a_ra1'),
set_event_status( _event, 'ACK'),
set_event_severity( _event, 'HARMLESS')
)

).


/*
-------------------------------------------------------------------
escalation timer rules for 10a min events

-------------------------------------------------------------------
*/
timer_rule: events_10mins_a_timer_rl:
(
description: 'more than 2 events within 10 minutes',
event: _event of_class within ['TWS_Job_Abend']
where [
status: equals 'ACK',
job_name: _job_name within ['PE11DHEX','PE11NREQ','PE11SML1','PR
11DDLC','PR11DPOS','PR11REPR','PR11RIDC','PR11SDM1','PR11SDM1','PR11SWF1','PR11T
RFC','PW11GRID','PW11RDDU','PW11TRFC'],
repeat_count: outside [0,1]
],

timer_info: equals 'events_10mins_a_ra1',


action: events_10mins_a_ac:
(
set_event_severity( _event, 'CRITICAL'),
change_event_status( _event, 'OPEN')
)

).



Thank you for any help .... Gerry