FIDO: Correlated item count
FIDO: Correlated item count
The 'correlated' count describes how many alarms have been correlated
via non comment correlation means into a single alarm line. By non
comment correlation means, I imply a correlation derived from the
network topology.
In the above example, 3646 alarms are correlated to the snmp_node of
r-432nm-mdf-1 being unreachable.
Firstly, a snmp_node test describes several repeated failed attempts to
snmp poll the management plane of a device. It doesn't conclusively
indicate a forwarding issue, but it means there are monitored items that
are in an unverifiable state, which is grounds for an alarm.
In this case, the alarm suffixes additional data: '3586 suppressed'. An
explanation of suppression can seen here: FIDO: Object Suppression . In this case, there
are 3586 instances on r-432nm-mdf-1 that cannot be verified.
The FIDO snmp polling engine polls many OIDs for the device in question.
What is being polled can be read about here: [Link for document 35504 is unavailable at this time.] . Some of these OIDs are used for alarms [ifOperStatus, for example].
Some are used for storage into rrds [per process CPU usage]. Some are
used for alarming or storing [sysUptime]. While it can be configured
differently, by default, only instances that would result in an alarm
are tallied in the 'suppressed' count; instances polled -purely- for RRD
storage do not count as they do not represent actionable items.
The other 58 alarms [3646 - 3586 = 58] are likely alarms that were
correlated to the node by virtue of being behind r-432nm-mdf-1 from a
topology perspective, be it layer 3 traceroute or layer 2 CDP/LLDP. To unravel correlation for a given point of time, see [Link for document 47505 is unavailable at this time.]