4.4.3 Repeated event conditions

You can specify the event to be a target of display suppression by setting a combination of JP1 event attribute and comparison keyword as a condition. This condition is called a repeated event condition. You can set up to 2,500 repeated event conditions.

To set repeated event conditions, use the Repeated Event Condition Settings window and the List of Repeated Event Conditions window. The higher the repeated event condition appears in the List of Repeated Event Conditions window, the higher is its priority.

If you want to add JP1 events as targets of display suppression during system operation, you can add repeated event conditions based on the events displayed in the event list. A repeated event condition that is set based on events displayed in the event list is called an additional repeated event condition.

You can use an additional repeated event condition as a normal repeated event condition by changing its type setting in the List of Repeated Event Conditions window.

For details about how to set repeated event conditions and other procedures, see the following documentation:

For details about how to set a repeated event condition:

See 6.10.6 Specifying repeated event conditions in the JP1/Integrated Management 3 - Manager Administration Guide.
For details about how to add a repeated event condition:

See 6.10.4(1) Adding a repeated event condition based on an event that occurred during system operation in the JP1/Integrated Management 3 - Manager Administration Guide.
For details about how to convert an added repeated event condition:

See 6.10.4(3) Converting an added repeated event condition to a regular repeated event condition in the JP1/Integrated Management 3 - Manager Administration Guide.

Organization of this subsection

(1) Setting items of repeated event condition (to suppress repeated-event display)
(2) Event comparison attributes that can be specified in repeated event conditions
(3) Grouping repeated events by duplicate attribute value condition

(1) Setting items of repeated event condition (to suppress repeated-event display)

The following describes the settings for items of a repeated event condition:

Event conditions

You can specify the JP1 event attributes to be compared when JP1/IM - Manager acquires monitoring-target events.

For details about the JP1 event attributes that can be specified, see 4.4.3(2) Event comparison attributes that can be specified in repeated event conditions.
Suppression items

You can specify what to suppress for the JP1 events that meet the repeated event condition. The operations that can be suppressed are as follows:
- Consolidated display of repeated events in the Event Console window
- Execution of the actions that are triggered by repeated events
To suppress the display of repeated events, you must specify appropriate settings for Suppression items so that repeated events will be displayed as consolidation events in the Event Console window. For details about the event list display during the suppression of repeated-event display, see 4.4.6 Event list display during the suppression of repeated-event display. When you also want to suppress the execution of automated actions, see 4.5.8 Suppressing the execution of automated actions and response actions triggered by a large number of events.
Conditions for same attribute values

You can specify whether to suppress the display of events that meet a repeated event condition by grouping them by attribute. The condition to suppress events while grouping them by attribute is called a duplicate attribute value condition.

For details about the duplicate attribute value condition, see 4.4.3(3) Grouping repeated events by duplicate attribute value condition.
Threshold

You can set a threshold for determining whether a large number of repeated events have occurred. The threshold, however, is not set in a repeated event condition for the normal suppression of repeated-event display because the suppression of display will start only after the set threshold is exceeded.

For how the threshold is used, see 4.5.4 When the suppression of monitoring of a large number of events starts and 4.5.5 When the suppression of monitoring of a large number of events ends.
End monitoring period

You can set a period by which JP1/IM - Manager determines whether the suppression of repeated-event display can end. The usage of the end monitoring period varies depending on whether the threshold is set.

The threshold is not set for the suppression of repeated-event display. Therefore, JP1/IM - Manager determines that the suppression of repeated-event display can end when no repeated event has occurred during the end monitoring period. The end monitoring period can be specified in the range from 1 to 86,400 seconds. The default is 300 seconds.

For how the end monitoring period is used when the threshold is not set (in the case of the suppression of repeated-event display), see 4.4.5 When suppression of repeated-event display ends.

For how the end monitoring period is used when a threshold is set (for the suppression of monitoring of a large number of events), see 4.5.5 When the suppression of monitoring of a large number of events ends.
Suppression start event and Suppression end event

You can specify whether to issue events that separately notify of the start and end of the suppression of repeated-event display. The event to notify of the start of display suppression is called the suppression start event (event ID: 00003F58). The event to notify of the end of display suppression is called the suppression end event (event ID: 00003F59). By default, neither notification event is issued. For details about the notification events, see 4.4.8 Issuing events associated with the suppression of repeated-event display.
Checks for suppression to continue and Processing for when suppression continues

You can specify settings to check whether the suppression of repeated-event monitoring continues at intervals of specified time (in seconds) or at every specified number of events. Also, you can specify settings to issue a JP1 event that notifies of continuation or terminates the suppression when the suppression is determined to be continuing. For details, see 4.4.7 Issuing notifications when the suppression of repeated-event display continues.

To Page Top

(2) Event comparison attributes that can be specified in repeated event conditions

The following table lists the JP1 event attributes and operators that can be specified as a repeated event condition.

Table 4‒14: JP1 event attributes and operators
No.	Category	Attribute name	Specification	Operators	Operands
1	Basic attributes	Serial number (`B.SEQNO`)	N	--	--
2		Event ID (`B.ID`)	Y	Match Does not match	You can specify a maximum of 100 operands. Specify a hexadecimal value from 0 to 7FFFFFFF. Operands are not case sensitive.
3		Extended event ID (`B.IDEXT`)	N	--	--
4		Type (`B.TYPE`)	N	--	--
5		Registered reason (`B.REASON`)	Y	Match Does not match	You can specify a maximum of 100 operands. Specify a decimal value from -2147483648 to 2147483647.
6		Source process ID (`B.PROCESSID`)	Y	Match Does not match
7		Registered time (`B.TIME`)	Y	Time range	Specify the start date and time and the end date and time of a range, or specify a period. A match occurs when the time value satisfies the condition `range-start-date-and-time` ≤ `time` ≤ `range-end-date-and-time`.
8		Arrived time (`B.ARRIVEDTIME`)	Y	Time range
9		Source user ID (`B.USERID`)	Y	Match Does not match	You can specify a maximum of 100 operands. Specify a decimal value from -2147483648 to 2147483647.
10		Source group ID (`B.GROUPID`)	Y	Match Does not match
11		Source user name (`B.USERNAME`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive.
12		Source group name (`B.GROUPNAME`)	Y
13		Event source server name (`B.SOURCESERVER`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. If `ON` is specified in the `-ignorecasehost` option of the `jcoimdef` command, operands are not case sensitive. You can specify a business group.
14		Destination event server name (`B.DESTSERVER`)	N	--	--
15		Source IP address (`B.SOURCEIPADDR`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive. If the address is an IPv6 address, use lower-case alphabetic characters for the specification.
16		Destination IP address (`B.DESTIPADDR`)	N	--	--
17		Source serial number (`B.SOURCESEQNO`)	N	--	--
18		Code set (`B.CODESET`)	N	--	--
19		Message (`B.MESSAGE`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive.
20		Event details (`B.DETAIL`)	N	--	--
21	Extended attributes (common information)	Original severity level (`E.SEVERITY`)	Y	Match Attribute value specified Attribute value not specified	You can specify multiple operands from among emergency, alert, critical, error, warning, notice, information, and debug.
22		User name (`E.USER_NAME`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive.
23		Product name (`E.PRODUCT_NAME`)	Y
24		Object type (`E.OBJECT_TYPE`)	Y
25		Object name (`E.OBJECT_NAME`)	Y
26		Root object type (`E.ROOT_OBJECT_TYPE`)	Y
27		Root object name (`E.ROOT_OBJECT_NAME`)	Y
28		Object ID (`E.OBJECT_ID`)	Y
29		Occurrence (`E.OCCURRENCE`)	Y
30		Start time (`E.START_TIME`)	Y	Time range Match First characters Does not match Is contained Is not contained Regular expression	When the operator is time range: Specify the start date and time and the end date and time of a range, or specify a period. A match occurs when the time value satisfies the condition `range-start-date-and-time` ≤ `time` ≤ `range-end-date-and-time`. The attribute value is converted to a number of seconds (0 to 474,102,444,799) for the comparison. If the attribute value is outside this range, the condition does not match. When the operator is not time range: You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive.
31		End time (`E.END_TIME`)	Y
32		Result code (`E.RESULT_CODE`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive.
33		Event source host name (`E.JP1_SOURCEHOST`)	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive. You can specify a business group.
34	Extended attribute (user-specific information)	`E.xxxxxxx`	Y	Match First characters Does not match Is contained Is not contained Regular expression	You can specify a maximum of 100 operands. However, only a single operand can be specified when the operator is regular expression. Specify a string that does not contain control characters. Operands are case sensitive. As the attribute name (`XXXXXXX`), you can specify a string of 32 or fewer bytes that begins with an upper-case alphabetic character and consists of upper-case alphabetic characters, numeric characters, and underbars (_).

Legend:

Y: Can be specified.

N: Cannot be specified.

--: None

To Page Top

(3) Grouping repeated events by duplicate attribute value condition

When you suppress repeated-event monitoring, you can suppress the events that match a repeated event condition by grouping the events according to attribute. This type of condition is called a duplicate attribute value condition.

You can specify duplicate attribute value conditions for each repeated event condition on the Options page of the Repeated Event Condition Settings window. The maximum number of duplicate attribute value conditions you can specify for a repeated event is 3.

The following are the names of the attributes that can be specified in duplicate attribute value conditions: event source server name (B.SOURCESERVER), destination event server name (B.DESTSERVER), message (B.MESSAGE), event ID (B.ID), registered reason (B.REASON), source user ID (B.USERID), source group ID (B.GROUPID), source user name (B.USERNAME), source group name (B.GROUPNAME), event source host name (E.JP1_SOURCEHOST), and E.xxxxxxx (extended attribute, which relates to common or user-specific information). These attributes are case sensitive. However, if ON is specified in the -ignorecasehost option of the jcoimdef command, the event source server name (B.SOURCESERVER), destination event server name (B.DESTSERVER), and event source host name (E.JP1_SOURCEHOST) are not case sensitive.

Attribute values are compared for full matching. If repeated events do not have any attributes (that is, the attribute values are empty strings), the repeated events are grouped together as repeated events without attributes, and their monitoring is suppressed accordingly. If a repeated event does not have an attribute that is specified in a duplicate attribute value condition, the repeated event is treated as a repeated event without attributes.

Suppose, for example, that the repeated event condition is the "event whose Message value is Error." The following figure shows the difference in operation depending on whether an event source host name is specified as a duplicate attribute value condition.

Figure 4‒37: Difference depending on whether a duplicate attribute value condition is specified

When an event source host name is specified as a duplicate attribute value condition:

When a duplicate attribute condition is specified, events can be monitored for each agent.

First, the JP1 events issued by agents arrive at JP1/IM - Manager.

When the execution of actions is suppressed, JP1/IM - Manager suppresses actions for the event whose Message value is Error (repeated event condition) and for the event source host name (duplicate attribute value condition). In the example shown in the above figure, an action is executed for the first error event that arrives from hostA and that arrives from hostB. For subsequent events that arrive, actions are suppressed.

JP1/IM - View consolidates events at the event level for an event whose Message value is Error (repeated event condition) and at the event source host name level (duplicate attribute value condition), and displays consolidated events. In the example shown in the above figure, the first error event that arrives from hostA and that arrives from hostB is displayed. Subsequent events that arrive are consolidated separate into the error event on hostA and into the error event on hostB, and displayed.
When no duplicate attribute value condition is specified:

JP1/IM - Manager can monitor all of the events issued by the agents it monitors regardless of the event source agent.

First, the JP1 events issued by agents arrive at JP1/IM - Manager.

When the execution of actions is suppressed, JP1/IM - Manager suppresses actions for an event whose Message value is Error (repeated event condition). In the example shown in the above figure, an action is executed for the first error event that arrives. For subsequent events that arrive, actions are suppressed regardless of event source agent.

JP1/IM - View consolidates events at the event level for events whose Message value is Error (repeated event condition). In the example shown in the above figure, the first error event that arrives is displayed. Subsequent events that arrive are consolidated into the error event and displayed as consolidated events regardless of the event source agent.

To Page Top