Define Compress Context parameters for Correlation Situation elements

The Compress Context combines repeated similar events into the same log entry, reducing clutter in the Logs view.

CAUTION:
Be careful when defining the Compress Context options. You must make sure that all event data you compress is part of the same event. Otherwise you risk losing valuable event information.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Browse to the Situations you want to compress in the left pane of the dialog box and drag and drop them into the Correlated Situations field.
    CAUTION:
    In custom Correlation Situations, logging might be automatically enabled for the correlated Situations even if the correlated Situations do not normally have logging enabled. If the Situations produce a large amount of log data and correlation is done on the Log Server, the increased amount of log data might overload the network or the Log Server even if no correlation matches occur.
  2. Enter the Time Window Size in seconds. The matches to the Situations selected are combined to a common log entry when they are triggered within the defined time period.
  3. Enter the Events per Window. This defines the maximum number of events that are forwarded within the Time Window defined.
  4. Select a Log Fields Enabled option.
  5. Double-click the Event Binding field and select the Event Binding that is used by the matching option you selected in the previous step.
  6. Select a Location to determine the execution order of this Compress operation in relation to other Compress operations. Operations that share the Location are executed in parallel; each compress operation receives the same events as the other compress operations in the same Location. The next Location receives only the events that are left after the compression.
    CAUTION:
    Be careful when using the Early or Very Early Locations. The compression can affect the other types of correlation tasks.
  7. Click Edit and define a Compress filter in the Local Filter Properties dialog box. The filter is used for filtering data to be included in the compression.
  8. Make sure that Engine Only is selected as the Usage Context.
    Note: The purpose of the Compress context is to reduce the amount of data that is sent to the Log Server. Including the Log Server in the Usage Context of a Compress context actually increases the amount of data that is sent to the Log Server.