Creating an Event Filter

Use this dialog to create an event filter or change an existing event filter. Not every action plan builder will contain all of the following options.

Any
By default, Any is selected for all filtering categories, indicating that all filtering criteria apply. You must deselect Any to select or enter a filtering criteria for a specific filtering category.
File=>
Rename
Select this option to change the name of this filter.
Save
Select this option to save the latest changes you have made to this filter.
Save As
Select this option to close the dialog and save the current settings under a new filter name.
Close
Select this option to close this dialog. If you have not saved all of your changes, you are prompted to save your data before you exit.
Severity
Identifies the urgency of the event. Severity is typically used in action plans because it identifies potentially urgent problems requiring immediate attention.

You can select multiple levels of severity as filtering criteria. Logical OR applies for multiple selections.

For example: if you select Fatal and Critical, the filtering criteria matches if the originator of the event classifies the event as Fatal or as Critical.

Severity levels in the order of most severe to least severe are:

Fatal
The application that issued the event has assigned a severity level indicating that the source of the event has already caused the program to fail and should be resolved before the program is restarted.
Critical
The application that issued the event has assigned a severity level indicating that the source of the event may cause program failure and should be resolved immediately.
Minor
The application that issued the event has assigned a severity level indicating that the source of the event should not cause immediate program failure, but should be resolved.
Warning
The application that issued the event has assigned a severity level indicating that the source of the event is not necessarily problematic, but may warrant investigation.
Harmless
The application that issued the event has assigned a severity level indicating that the event is for information only; no potential problems should occur.
Unknown
The application that generated the event did not assign a severity level.
Day/Time
Enables you to specify day and time ranges for a filter. Specifying a day and time range in a filter adds control over when actions are run and therefore not run.

Use the pull-down menus to select values in each category, then click the Add button when you finish the selections. Your settings are added to the selections pane.

You can create as many day/time range entries as you like. Each time you create a day/time range entry, click Add to add the entry to the list in the selections pane.

To remove an entry from the selections pane, click on the entry, then click the Delete button.

The time zone that applies to the day/time filtering entries is the time zone in which the %ProductServerName% is located. If your console is not in the same time zone as the server, the difference in time zones is shown above the selections pane.

For example:  if the %ProductServerName% is located in New York and your console is located in California, the time zones displayed and used are Eastern Standard Time (EST), and the following is displayed above the selections pane: Server Time - Local Time = 3 Hours

Day of the Week
Use the pull-down menu to select the day of the week to which this filter is to apply. Weekday (Monday - Friday) and weekend (Saturday & Sunday) selections are available.
Starting Time
Use the pull-down menu to select the starting time of an interval within which this filter is active.
Ending Time
Use the pull-down menu to select the ending time of an interval within which this filter is active.
Add
Adds your day and time selections to the list in the selections pane. You can add multiple day/time entries to the list.
Delete
Deletes a day/time entry from the list of entries in the selections pane. To delete an entry, select it, then click this button.
Block queued events
Select this checkbox to avoid filtering on events that had to be queued for transmission to the %ProductServerName%. Multiple events can be queued for transmission to the %ProductServerName% if the system for which the event was generated cannot send the event at the time of its occurrence. This option can be useful if the timing of the event is important or if you want to avoid filtering on multiple queued events that are sent all at once when the %ProductServerName% becomes accessible.
Category
Specifies the resolution status of the event as a filtering criterion.
Alert
Signifies the problem.
Resolution
Signifies that the problem has been resolved and is no longer a problem.

Event Text
Specifies the event text of the event as the filtering criterion.
Any word
Any of the words specified in the filter can be present in incoming event to match this filter.
All words
All words specified in this filter should be present in the incoming event to match this filter.
Exact phrase
Text specified in this filter should match exactly with text of the incoming event
Case Sensitive
Text specified in this filter should match exactly, including case, with text of the incoming event

Extended Attributes
Enables you to qualify the filtering criteria using additional Keywords and keyword Values that can be associated with some categories of events, such as SNMP. These additional keywords and corresponding values are referred to as the event's extended attributes.

This category can be particularly useful for narrowing the filtering criteria to a lower level of detail, for example, to isolate one or more values originating from a specific system.

You can also view the extended attributes of a specific event by opening the Event Log task in the Tasks pane of the %ProductName% Console and select an appropriate event from the list. The event's extended attributes, if present, are displayed at the bottom of the Event Details panel, below the Sender Name category.

Because event types are hierarchical, an event with a particular event type has its associated extended attributes as well as the extended attributes of its parent event types. For example, the event type Director.Topology.Offline has extended attributes for Director.Topology.Offline and Director.Topology.

You can specify keywords and values in Extended Attributes only if one event type is selected. If the current event type is set to Any, Extended Attributes is disabled. Extended Attributes is also disabled if multiple event types are selected. If the Extended Attributes panel is enabled for a specific event type but no keywords are listed, the %ProductServerName% is not aware of any keywords that can be used for filtering.

An event will meet the filtering criteria as follows:

Any
By default, this check box is selected indicating to filter on all extended attributes. Deselect Any to select specific keyword/value pairs.
Keywords
Select the keywords on which you want to filter. If no keywords are listed, the %ProductServerName% has not been made aware of or has not published the keywords for the selected event category. You can select multiple keywords.
Values
Specifies a value for the keyword on which you want to filter. You can specify multiple values, but you cannot specify a range of values.

If you want to enter multiple values for a single keyword, use the Add key each time you want to add a value.

Boolean OR is used to determine if an event's extended attributes meet the filtering criteria for multiple values of a single keyword.

If you enter more than one keyword/value pair, Boolean AND is used to determine if an event's extended attributes meet the filtering criteria (all keyword values must be true).

Case Sensitive
Select this option if the specified keyword value should be filtered as case sensitive.
Update
Allows you to change the value of a selected keyword/value pair.
  1. Select a keyword/value pair.
  2. Select Values to change the corresponding value.
  3. Select Update to make the change take effect.
Delete
Deletes a selected keyword/value pair as a selection criterion.
Frequency

Note: This only appears for Duplication and Threshold Event Filters.
Interval
For Duplication Event Filters, the Interval field can be used without using the Count field (Count=0). Interval specifies a window of time that begins when an event meets the filtering criteria. The first occurrence of an event that meets the criteria triggers associated actions and starts a countdown of the units that define the interval. For example, if you enter 10 and select seconds, a 10-second timer starts when an event meets the filtering criteria. If Count is set to 0, all other instances of an event meeting the criteria do not trigger associated actions during the interval.

If Interval is set to a value greater than 0 and Count is set to a value greater than 0, after the first occurrence of an event meets the filtering criteria, the value entered in Count (n) specifies the number of times an event must meet the criteria within the interval before associated actions can be triggered again. If an event meets the criteria for the nth time within the interval, the next time (n+1) an event meets the criteria, associated actions are triggered, the count is reset, and the interval is reset.

For Threshold Event Filters, the Interval field must be used in conjunction with the Count field. Interval specifies a window of time that begins when an event meets the filtering criteria. The first occurrence of an event that meets the criteria does not trigger associated actions, but starts a countdown of the units that define the interval. For example, if you enter 10 and select minutes, a 10-minute timer starts when an event meets the filtering criteria. The value entered in Count specifies the number of times (n-1) an event has to meet the criteria before associated actions are triggered. The first n-1 events that occur within the interval do not cause associated actions to trigger. The nth time an event meets the criteria within the interval, associated actions are triggered, the count is reset, and the interval is reset.

Count
For both duplication and threshold event filters, the Count field can be used without using the Interval field (value=0 for selected type of interval).

For Duplication Event Filters, Count must be an integer from 0 to 100 and specifies the number of duplicate events to ignore after the first occurrence of an event meets the filtering criteria. For example, if you enter 5 in Count, an event must meet the criteria 6 times after the first event meets the criteria to trigger associated actions again.

If you specify an interval and Count is set to the value 0, the first time the criteria are met the associated actions trigger, the interval countdown begins, and no actions are triggered during the interval.

For Threshold Event Filters, Count must be an integer from 1 to 100. Count specifies the number (n-1) of events that must meet the filtering criteria before associated actions are triggered. The first n-1 events are ignored. For example, if you enter the value 5 in Count, the first 4 duplicate events are ignored and the fifth event triggers associated actions.

Excluded Event Type
Note: This only appears for Exclusion Event Filters.

Use this to identify sources of events within the network that you want to exclude from the event filtering criteria specified using the Event Type. That is, you can filter on a specified group of events but exclude certain events that meet the criteria selected on this page. The exclusion filter can be useful also in identifying the criteria that do not apply rather than identifying all the criteria that do apply.

System Variables
This is only enabled if one or more system variables exist. You can create a system variable using the Set Event System Variable event action.

System Variables are user-defined keyword/value pairs that are known only to the local %ProductServerName%. You can further qualify the filtering criteria by specifying a system variable.
Note:  These user-defined system variables are not associated with NT system variables in any way.

Refer to Understanding System Variables for more information on how to use system variables.