Aggregation Time Criteria
The ArcSight Console provides time-evaluation criteria that can affect event-occurrence aggregation and rule triggering. You apply these to rules through the Aggregation tab and the statement panel of the Conditions tab.
Aggregation is based on an event's End Time value, not Manager Receipt Time. However, events are not kept in memory indefinitely, therefore if some events are received after a long delay (such as an hour or so), they will not be matched with events that have already been removed from memory.
Note: Aggregation Time in Distributed Correlation
If you have join rules, rules with negated event aliases, or non-join rules based on thresholds, you might observe that the rules will not trigger. This is due to aggregation time that is too short. If the events arrive at the aggregator at different times, it is possible that the first matching event has expired by the time the second matching event arrives.
Workaround: If rules do not trigger, increase the aggregation window time (Time Frame option).
Related topics:
Aggregation Time Criteria |
|
---|---|
Criteria |
Application |
Set on the Rule Editor's Aggregation tab, Time Frame establishes the time span for occurrence aggregation. Event-occurrence aggregation is always controlled by Time Frame. Secondarily, Time Frame becomes the default for global and alias expiration time, if these are not set separately. Note: You can set the Rule Action trigger On Time Unit in conjunction with the Aggregation Time Frame to limit the number of times a rule is triggered. See Threshold Triggering Options. |
|
Global Expiration |
Set on the Conditions tab, a global expiration applies to an entire rule. This is the amount of time that qualifying events for all aliases are retained in memory for evaluation, based on Manager receipt-time. Setting an alias expiration overrides a global expiration, if present. To set Global Expiration, right-click the rule's root node (Correlate) in the Conditions tab and choose Set Global Expiration Time. |
Set on the Conditions tab, an alias expiration applies to a single event alias within a rule. This is the amount of time that, for this alias only, a qualifying event is retained in memory for evaluation, based on Manager receipt time. Setting an alias expiration overrides a global expiration, if present. To set Alias Expiration, right-click an event alias in the Conditions tab and choose Set Alias Expiration Time. An event with an expiration time is displayed with an indicator, for example:
To remove the alias expiration time, right-click the event alias and change the time to 0. |
|
Matching Time |
Set on the Conditions tab, a matching time creates a time-proximity comparison for multiple-alias rules, based on events' actual creation times. When two or more rule-condition aliases are present, a Matching Event node appears. You can right-click this node and choose Set Matching Time to require events' original timestamps (specifically, the event's original end-time) to fall within a range. Note that this time-proximity test is independent of and different than the memory-retention parameter set by global or alias expiration. |
Set on the Conditions tab, you are prompted to set a time out value in seconds, minutes, or hours when you set an event alias to Negated. The time out begins after receipt of all positive events. If a negated event is not received within this time out period, then the rule is triggered. Note: If you have multiple negated events with different time out settings, the longest time out period takes precedence. |