Timer rule examples
The Timer rule shown in the following figure demonstrates how the rule performs selective escalation for an issue that does not disappear immediately. In the example, different timers are set according to the origin of the problem, which is assumed to originate with a server located in the lowest portion of the address range. The Timer rule also assumes that problems on servers are more severe than on other computers.
Timer rule example 1
execute Timer_on_Rpt_Low_Swap :
Repeated_Swap_Avail_Low($RSAL)
where [$RSAL.status : equals OPEN]
when $RSAL.origin : ip_matches 200.200.*.<25
{
set_timer($RSAL, 120, 'CRITICAL') ;
}
when $RSAL.hostname : ip_matches 200.200.*.>25
{
set_timer($RSAL, 600, 'MINOR') ;
}
END
Repeated_Swap_Avail_Low($RSAL)
where [$RSAL.status : equals OPEN]
when $RSAL.origin : ip_matches 200.200.*.<25
{
set_timer($RSAL, 120, 'CRITICAL') ;
}
when $RSAL.hostname : ip_matches 200.200.*.>25
{
set_timer($RSAL, 600, 'MINOR') ;
}
END
The Timer rule in the following figure verifies that the event status is OPEN before evaluating the timer_info clauses. If an event matches the rule, the event severity is modified.
Timer rule example 2
timer Rpt_Low_Swap :
Repeated_Swap_Avail_Low($RSAL)
where [ status: equals OPEN]
timer_info : equals 'CRITICAL'
{
$RSAL.severity=CRITICAL ;
}
timer_info : equals 'MINOR'
{
$RSAL.severity=MINOR ;
}
END
Repeated_Swap_Avail_Low($RSAL)
where [ status: equals OPEN]
timer_info : equals 'CRITICAL'
{
$RSAL.severity=CRITICAL ;
}
timer_info : equals 'MINOR'
{
$RSAL.severity=MINOR ;
}
END
Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*