[Tony]

Hey everybody,

I'm currently trying to work out the best way to create alerting for what I call "non-events", as in transfers for which an expected event does not occur. For example, we may use Gateway (XFB) to reach out to a remote site and do a directory listing every 15 minutes for a file that we expect at the top of every hour. XFB isn't smart enough out of the box to know not to execute a scheduled event when the first instance of that event was successful, so we're stuck executing every 15 minutes.

In Sentinel, I could create a correlation rule that says if the directory listing returns a 0 byte file (meaning no files listed), to create an alert. Unfortunately we may get the file on the 2nd instance of the scheduled pull, in which case the alert would be valid. Likewise, were I to schedule an alert for the event that the directory listing on the 2nd instance of the scheduled pull was empty, we don't necessarily want to create an alert because the 1st instance may have retrieved the file.

Has anybody found a useful way to handle this in Sentinel/Gateway?

Thanks all,

Tony Lloyd

[Tony]

Alright, I believe I have everything straightened out for creating alerts for when we are doing a directory listing from a remote site and don't pull anything. I got it to work by creating a correlation rule for a trigger of receiving the directory listing from a certain server. Essentially I'm looking for a specified period of time and saying that if we got a directory listing but not a real transfer, to trigger an alert. I got it to work for a daily file, but I need to be able to get more specific, like if we don't receive a transfer between 4:00 p.m. and 4:50 p.m. but we did receive a directory listing, send an alert. Here's what I used for the evaluation of transfers occuring over a day -

TrkCreateRuleVar("eventCountVar1","Numeric",TrkSelectEventCount("XFBTransfer","Historic", TrkWhere("CommandType='F' and Application='BVOMNHT' and ReceiverId='%1' and Direction='%2' and SenderId='%3' and EventDate='%4' and State='RECEIVED' and IsAlert='0' ",$ReceiverId,$Direction,$SenderId,$EventDate)))

I'm just unsure how to modify it to include criteria in the TrkSelectEventcount statement that says it's between time x and y. Can somebody help me with that syntax?

Thanks!
Tony

[Tony]

Bala from support was able to help me out yesterday. I completely overlooked the concepts of > and < for some reason, but you can specify specific times in your statement by including a simple "and EventTime>'hh:mm:ss' AND EventTime<'hh:mm:ss"

For my purpose I wanted to see how many transfers occurred between 8 and 8:46 a.m. so it looks like this

TrkCreateRuleVar("eventCountVar1","Numeric",TrkSelectEventCount("XFBTransfer","Historic", TrkWhere("CommandType='F' and Application='BVOMNHT' and ReceiverId='%1' and Direction='%2' and SenderId='%3' and EventDate='%4' and State='RECEIVED' and EventTime>'08:00:00' and EventTime<'08:46:00' and IsAlert='0' ",$ReceiverId,$Direction,$SenderId,$EventDate)))

Now my alerting does exactly what I wanted it too, how exciting!