'); $("#tabs").tabs({ selected: 1 }); $("#ic-homepage__ic-tips").append( quickTipHTML() ); unhideOneProductTip(); $("#ic-homepage__product-tips").wrapInner('

'); $("#ic-homepage__feed-tips").wrapInner('

'); });

IBM Tivoli Monitoring > Version 6.3 > User's Guides > Log File Agent User's Guide > Event filtering and summarization IBM Tivoli Monitoring, Version 6.3

---

View event filtering and summarization in the Tivoli Enterprise Portal

Examples of how data is treated depending on your event filtering and summarization choices.

The agent maintains a cache of the last events received. By default, this cache is 100 in size. If you enable event filtering and summarization for the agent, differences can occur between the number of events in the cache and the number of events sent to IBM Tivoli Monitoring. Additional events in the cache might not reach the designated threshold for sending. Or you might have fewer events in the cache if you selected the send_all option. If the send_all option is set, an event is sent each time a duplicate occurs. However only one copy of the event is kept in the cache, and the occurrence count is incremented each time the event occurs. To view the events that are sent to IBM Tivoli Monitoring, create a historical view. For information about creating historical views, see Historical Reporting in the Tivoli Enterprise Portal User's Guide. You can compare this view with the real-time cache view in the Tivoli Enterprise Portal. You can also use situations to make the same comparison.

The following examples indicate how the same data is treated depending on your choice, if any, of event filtering and summarization. Four agent instances are created, one for each of the four possible values of the EventFloodThreshold setting. The instances have the same name as the value of EventFloodThreshold that they use in the .conf file. All four instances use CustomSlot1 as the duplicate detection key, controlled by the following .conf file setting:

DupDetectionKeyAttributes=CustomSlot1

Each instance uses the same format definition, as follows:

REGEX DupExample
example: (.*)
example $1 CustomSlot1
msg PRINTF("The example is %s", example)
END

All four instances monitor the same text log. The same line of text was added to the monitored log 10 times:

example: This is an error

In each example, a historical view and the real-time (cache) view is shown. By default, the historical view shows the newest events in the last rows, while the default real-time view of the cache shows the newest events in the first rows. In these examples, the historical view shows the last 1 hour. CustomSlot2-10 are hidden in these examples.

As new events arrive, you can see them in the cache view. As duplicates of an event arrive, the data is updated in the existing row. When a summary interval elapses, the existing events are converted to summary events and sent. New rows are then added for the next summary interval.
Figure 1 shows the historical view and cache view if you selected the send_all option in the .conf file. The send_all option is the default option. The 10 events and the summary event are shown in the historical view.

Figure 1. Historical view and cache view when send_all is selected

Figure 2 shows the historical view and cache view if you selected the send_none option in the .conf file. Only the summary event is shown in both views.

Figure 2. Historical view and cache view when send_none is selected
Figure 3 shows the historical view and cache view if you selected the send_first option in the .conf file. The first event received in the summary interval and the summary event for the interval are shown in the historical view.

Figure 3. Historical view and cache view when send_first is selected
Figure 4 shows the historical view and cache view if you selected the nInteger option in the .conf file and entered a value of 5. An event is shown only when five duplicates of an event (including the first event) are received in the interval. If less than five duplicates are received, no event is shown. If 6, 7, 8, or 9 duplicates are received in the interval, one event is shown. As 10 duplicates were received, 2 events are shown, plus the summary event.

Figure 4. Historical view and cache view when nInteger is selected

Parent topic:

Event filtering and summarization

---

+

Search Tips   |   Advanced Search