Correlated Missing Events

 

Updated: May 13, 2016

Applies To: System Center 2012 R2 Operations Manager, System Center 2012 - Operations Manager, System Center 2012 SP1 - Operations Manager

A correlated missing event monitor in Operations Manager determines an error by the absence of a particular event after the occurrence of another. This resembles the missing event monitor except that instead of searching for the missing event in a particular time window, the monitor searches for the event in a particular time after another event is first detected.

For example, consider an application that performs a backup each evening and creates an event when it starts and a second event when it has completed successfully. A correlated missing event monitor could be created that searches for the event in a particular time window each evening. If both events are detected, then the monitor remains in a healthy state. If the first is found, then the timer starts. If the time is reached before the second event is detected, then the state change is triggered to indicate that the last backup did not occur successfully.

Correlated Missing Events Example

The following table provides an example of a correlated missing event monitor by using the first and the last occurrence of the first event. The monitor uses the following details:

  • Missing Event Log A: Event 1

  • Missing Event Log B: Event 2

  • Correlation interval: 2 minutes

  • Number of occurrences of Event 2: 3

  • Health state on correlation: Critical

  • Reset Logic: Event reset using Event 3

Time

Event

First Occurrence

Last Occurrence

00:00:00

-

Healthy

Healthy

00:01:00

Event 1

Healthy

Healthy

1:30

Event 2

Healthy

Healthy

00:02:00

Event 2

Healthy

Healthy

00:02:30

Event 1

Healthy

Healthy

00:03:00

-

Critical

Healthy

00:03:30

Event 2

Critical

Healthy

00:04:00

Event 2

Critical

Healthy

00:04:30

-

Critical

Critical

00:05:00

Event 3

Healthy

Healthy

  • The First Occurrence triggers a critical state at 00:03:00 because Event 2 has not been detected 3 times in the 2 minute interval since the first occurrence of Event 1 at 00:01:00.

  • The Last Occurrence does not trigger a critical state at 00:03:00 because Event 1 occurs at 00:02:30 resetting the timer. The critical state is not triggered until 00:04:30 when Event 2 has not been detected in the 2 minutes interval since the last occurrence of Event 1 at 00:02:30.

  • The single occurrence of Event 3 at 00:05:00 resets both monitors to healthy.