Threshold Triggering Options

Consider the following factors for determining your triggering options:

The minimum threshold value you can set is 1.
Triggering actions on every or subsequent occurrence can quickly use up resources. Use these options conservatively.

For threshold-based triggers, only a single correlation event is triggered on receipt of any single incoming event, even if that event has an aggregated event count high enough to trigger multiple firings. This is by design to prevent excessive firings. For example, if a rule has a threshold of 10, an event with an aggregated event count of 200 triggers only one rule firing (not 20).

Trigger Thresholds
Trigger	Threshold
On First Event	The first time rule conditions are met, overriding aggregation threshold settings. This is the default trigger.
On Subsequent Events	The second and subsequent times rule conditions are met (not the first), overriding aggregation threshold settings.
On Every Event	Every time rule conditions are met, overriding aggregation threshold settings. Note: This is the only trigger available for lightweight and pre-persistence rules.
On First Threshold	For the number of matches greater than 1, the first time rule conditions and threshold settings are met.
On Subsequent Thresholds	For the number of matches greater than 1, the second and subsequent times rule conditions and threshold setting are met, not the first.
On Every Threshold	Every time rule conditions and threshold settings are met.
On Time Unit	Defines an action to take if the given threshold is met in the specified number of minutes specified. (When: On Time Unit: Every <NumberOfMinutes>). Notes: With On Time Unit (OTU), the minimum threshold value you must set is 2. This setting can work in conjunction with aggregation to limit the number of times a rule is triggered. For example, aggregation is set to 2 matches in 1 minute and you get 50 matches in 1 minute (depending on how you set the rule actions). If you then specify the rule to trigger at On Time Unit = 1 minute, even if there were 50 matches in 1 minute, the rule would only trigger once per minute when the aggregation threshold is met. The list of correlated events attached to the On Time Unit trigger excludes the events composing the first threshold. For example, if the threshold is 2 and 5 matching events are found, the first 2 events are excluded and only the remaining 3 are included in the list of correlated events. If you want to include the missing first two events for the threshold rule firing, you can additionally use these other triggers, On First Threshold or On Every Threshold in conjunction with On Time Unit. In this case, you will not see the first two events as part of On Time Unit. Instead, the first two events will be part of On First Threshold or On Every Threshold. Activating On Time Unit does not imply that a rule is triggered on the first event, on subsequent events, or on every event that meets conditions. This specifically sets the rule to trigger for every given On Time Unit if aggregation thresholds are met. Be sure to set On Time Unit to less than or the same value as the aggregation Time Frame to prevent getting an extra correlation event for the rule itself.
On Time Window Expiration	Expiration time of threshold settings When the On Time Window Expiration (OTWE) trigger is activated, it includes an option to display a *cumulative rule chain* (a summary of triggered rules) at the end of the triggered rules list. By default, the cumulative rule chain option on an activated OTWE trigger is off. To toggle the option between On and Off, right-click the active OTWE trigger and select On or Off on the cumulative rule chain option as needed. When an OTW trigger activates a rule, a correlation event is generated. If the cumulative rule chain option is on, the correlation event contains all the base events from the first threshold to the time window expiration. If the cumulative rule chain option is off, the generated correlation event contains events from the last threshold to the time window expiration. Limitation: Unique aggregation does not work with the On Time Window Expiration trigger if cumulative rule chain set to on. See Setting or Changing Rule Thresholds for information on unique aggregation in rules.