Table of Contents
Advertisement
3 The Rule Wizard displays. Select one of the following rule types and follow the steps for that
particular rule type:
Simple
Composite
Aggregate
Sequence
Custom/Freeform
4 Define the update criteria for the rule.
If you select Continue to perform actions every time this rule fires, the rule fires every time the
criteria is met. If you select Do not perform actions every time this rule fires for the next (t)
time, the event fires only once as per user-defined time period.
All the other events that match the Correlation rule within the specified time are grouped
together with this correlated event. This user-defined time period can be a certain number of
seconds, minutes, or hours.
5 Click Next.
6 Provide the rule name. The syntax of the rule is checked at the time it is created.
7 Under Namespace, select a Correlation rule folder in which to store the rule.
8 Type the description of the rule.
9 Click Next. The rule is created and displays in the Correlation Rules Manager window.
10 Select Yes if you want to create another rule or select No if you do not want to create another
rule. Click Next.
The rule types and the steps to create them are described in
Rules," on page
87.
4.3.6 Creating Correlation Rules
Correlation rules can be defined in the Correlation Rule Wizard by walking through the wizard or by
choosing the Custom/Freeform option to write the rule in the proprietary RuleLG language. All rule
definitions are stored in the database in RuleLG.
Correlation rules can be defined based on any populated event field.
NOTE: When creating a rule, you can refer to a dynamic list for it. For more information, see
Section 4.4.5, "Using a Dynamic List in a Correlation Rule," on page
"Simple Rule" on page 88
"Aggregate Rule" on page 90
"Composite Rule" on page 92
"Sequence" on page 93
"Custom or Freeform Correlation Rules" on page 94
Section 4.3.6, "Creating Correlation
100.
Correlation Tab
87
Advertisement
Table of Contents
