FIDO: Correlated item count

The 'correlated' count describes how many alarms have been correlated via non comment correlation means into a single alarm line.  By non comment correlation means, I imply a correlation derived from the network topology.



In the above example, 3646 alarms are correlated to the snmp_node of r-432nm-mdf-1 being unreachable.

Firstly, a snmp_node test describes several repeated failed attempts to snmp poll the management plane of a device.  It doesn't conclusively indicate a forwarding issue, but it means there are monitored items that are in an unverifiable state, which is grounds for an alarm.

In this case, the alarm suffixes additional data: '3586 suppressed'.  An explanation of suppression can seen here: FIDO: Object Suppression .  In this case, there are 3586 instances on r-432nm-mdf-1 that cannot be verified.

The FIDO snmp polling engine polls many OIDs for the device in question.  What is being polled can be read about here: [Link for document 35504 is unavailable at this time.] .  Some of these OIDs are used for alarms [ifOperStatus, for example]. Some are used for storage into rrds [per process CPU usage].  Some are used for alarming or storing [sysUptime].  While it can be configured differently, by default, only instances that would result in an alarm are tallied in the 'suppressed' count; instances polled -purely- for RRD storage do not count as they do not represent actionable items.

The other 58 alarms [3646 - 3586 = 58] are likely alarms that were correlated to the node by virtue of being behind r-432nm-mdf-1 from a topology perspective, be it layer 3 traceroute or layer 2 CDP/LLDP.  To unravel correlation for a given point of time, see [Link for document 47505 is unavailable at this time.]