Tool Mentor: TNO - Filter Event
TM141 - How to Use IBM Tivoli Netcool OMNIbus to Filter Event
Tool: IBM Tivoli Netcool OMNIbus
Relationships
Related Elements
Main Description

Context

Tool mentors explain how a tool can perform tasks, which are part of ITUP processes and activities. The tasks are listed as Related Elements in the Relationships section.

You can see the details of how processes and activities are supported by this tool mentor, by clicking the links next to the icons:

Details

The IBM® Tivoli® Netcool/OMNIbus product provides a wide range of out-of-the-box functionality designed to consolidate and filter Events to ensure that required actions are taken, and only relevant data presented to the user. All rules and automated actions within OMNIbus and its probes are configured in simple script or procedural SQL languages enabling ongoing customization using readily available or quickly learned skills. Modifications to the rule sets may be made in real-time and enabled without interruption to end-user service. Full details are provided in the OMNIbus and Probe Administration guides available for download.

As events are collected by the many different probes and monitors within the Netcool suite, they are normalized into a common event format. This common event format allows the events to be properly categorized and enables the event management engine (the ObjectServer) to recognize events that are duplicates of existing events; i.e., when multiple, repetitive events are received for the same problem on the same element. Database triggers within the ObjectServer recognize the repeating event in real-time, and consolidate the information into a single event recording the First and Last Occurrence times, and incrementing a Count to indicate the number of occurrences of the event. This technique ensures that other automations and user actions may focus on the consolidated data rather than be flooded with repetitive information.

The following diagram shows the consolidation of four ping failure events for the same managed object by de-duplication into a single event giving the First and Last Occurrence times and a Count of the number of occurrences in that time frame. Note that the Event Severities are set and displayed by default according to the ISO standards of six severities ranging from 0=Clear=green to 5=Critical=red

Diagram shows consolidation of four ping failure events for the same managed object by de-duplication into a single event

The resulting event shown here in Operator Desktop view is then available for further automation and/or Operator intervention.

Netcool provides automated, out-of-the-box, state-based correlation at the object level (e.g., if a 'link down' event is received for a router interface which then corrects itself and generates a subsequent 'link up' event, the system correlates the two and clears the original 'link down' event). During the collection process Netcool probes and monitors analyze the incoming events and classify them as problem or resolution events. Once inserted into the ObjectServer, a series of automations provide the correlation needed for problem and resolution events to be properly associated and cleared as appropriate removing the need for manual correlation and resolution by an Operator.

The following diagram shows the visual representation of the pairing and clearing of related problem and resolution events.

A visual representation of pairing and clearing of related problems and resolution events

Temporal automations may be applied to manage related events where for example the existence or resolution of a problem may vary according to an event sequence including the absence or occurrence of a related event.

The follow diagram shows an example of key data fields set in probe rules and automations to identify the Link Down root cause and the symptomatic interface or circuit alarms that may be suppressed.

Key data fields set in probe rules and automations to identify the Link Down root cause and the symptomatic interface or circuit alarms that are suppressed

The predefined automations that Tivoli Netcool/OMNIbus provides are written in procedural SQL and may be extended using the GUI based OMNIbus Administrator tool, or via a command line interface. For example the configuration for the provided trigger to delete cleared events after a period of time shown in GUI format below includes the SQL command to delete events from the database that are cleared (Severity = 0) and have not been modified in the last 2 minutes (120 seconds): 

delete from alerts.status where Severity = 0 and StateChange < (getdate() - 120);

Configuration for the provided trigger to delete cleared events after a period of time shown in GUI format

Radio buttons to the right provide tools to assist in the structure of the SQL, table and column reference, available properties and a parser to check the validity of the statements.

The powerful combination of probe rules and automations coupled with filters configurable both by the administrator and optionally by the end user ensure that User views are focused on consolidated Alarms while retaining related events that may be required for further analysis by external systems or viewed by the Operator for information.

For More Information

For more information about this tool, click on the link for this tool at the top of this page.

©Copyright IBM Corp. 2005, 2008. All Rights Reserved.