Thread and trigger component

Once messages are received and logged, the first official step of the correlation process is to thread the messages.

The threads and triggers components and their role in cataloging messages, is discussed exhaustively in this section concerning match patterns. However, it is worth discussing these components from a slightly different perspective.

The term thread comes from the idea that most human conversation naturally follows a certain sequential pattern. 

The use of the word thread to discuss related messages is taken directly from this idea. In a similar way to social networking forums, a BMC Defender Server thread is a particular topic. The topic can be broad (such as All Logins) or very narrow (such as Invalid Logins For HTTP Server). The particular topic might have context associated with it (supplied to Triggers) such as Error Messages Following Reboot. As with many social networking sites, the system can contain many different threads, a few that are popular and many of which are seldom, if ever, used. Finally, as with an online forum, the most recently updated thread is, by default, pulled to the top of the list, making it clear what the active topics are.

BMC Defender Server permits thousands of threads to exist. (The exact number might be licensing dependent, but is typically at least 5000 different threads.) The most recently updated thread is at the top of the list, followed in chronological order by the next most recently updated thread and many more. From the Correlation > Threads screen, you can see the system activity and drill down into the system to view the detailed messages comprising the thread.