Criteria match rate thresholds

In addition to specifying thresholds for each Rule, you can specify a default threshold for each Rule within a Rule Set by using the Criteria match rate settings in the filter of the Rule Set.

Specifying a Rule Set match rate affects only the Rules that do not have a threshold specified. The Rule Set match rate can be used to ensure that every Rule has a match rate specified, thus preventing looping Rules or flooding the PAS with automation. For more information about setting automation thresholds and the criteria match rate, see Managing-Rules-and-automation-using-the-Automation-Control-panel.

Related topic

Using-the-Rule-Processor-Detail-Control-panel

Some Rules might have a normally high match rate, such as a Rule to suppress a message. Before changing the Rule Set default match rate criteria, Rules should be reviewed. Rules designed to have a high match rate can be coded with If matched ===> 0 to ignore the default Rule Set value.

For every Rule you create, you should determine an appropriate firing rate. For example, sometimes a single event generates a flood of events in a very short amount of time. In this case, you might want the Rule for that event to fire only once, based on the first time the event occurs. By using the fields If matched, in seconds, and then status, you can resolve this problem.

The If matched and in seconds fields define the threshold matching rate for a Rule. When the match count of a Rule matches the value you set within the specified time interval, the then status field determines the status of the Rule. You can specify the status to be SUSPEND, DISABLE, or NOACTION.

If you specify that the Rule is suspended, the Rule is automatically re-enabled when the matching rate falls below the specified threshold. If you specify that the Rule is disabled, you must manually re-enable the Rule. If you specify to take no action, the Rule will match and the fired count will increase, but no actions specified for that Rule will take place. The action is resumed when the match rate falls below the threshold.

Important

The difference between NOACTION and SUSPEND is that if the Rule Set is using the strategy, FIRST, SUSPEND allows a subsequent Rule in the Rule Set to fire for this event whereas NOACTION will fire this Rule and suppress further checking in the Rule Set.

This example shows that if a Rule matches an event 10 times within any 30 second interval, the Rule will be suspended.


Criteria match rate threshold:
If matched ===> 10 (Maximum # times matched within INTERVAL, 0-100)
in seconds ===> 30 (Interval length, 1-9999 seconds)
then status ===> SUSPEND (SUSPEND, DISABLE, NOACTION)

Important

When the PAS is cold started, the Rules Status will be as coded in the Rule Set members. Any Rule status changes made as a result of the match rate specifications are discarded.

When a match rate is specified in this Rule Set Filter, every Rule will have a criteria match rate, either an explicit match rate coded in the Rule or an implicit match rate inherited from the filter. With the Rule Set filter, you can limit the number of events and the types of events that are passed through a specific Rule Set. For more details about using Rule Set filtering with criteria match rate, see Enabling-filtering-and-Rule-Set-match-rate-for-Rule-Sets.

In order to bypass Rule Set criteria match rate checking, specify the criteria match rate fields for the Rule, which causes the Rule Set criteria match rate to be ignored. Only the criteria match rate for the Rule will apply.

Important

A value of 0 in the If matched field of the Rule Set match rate can also be used to ignore the Rule Set match rate. Rules that specify 0 will always fire.

Rules whose status has changed to SUSPEND, DISABLE, or NOACTION as a result of a high matching rate are enabled when manually enabled or when the subsystem is cold started. A new actual matching rate is calculated for the preceding interval every time the Rule matches an event.

These fields cannot be set for TIME-initiated Rules.

This section contains the following topic:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*