Writing Analyst Rules

Analyst rules contain the intelligence for the Analyst. There are a number of pre-packaged Analyst documents that contain complete action paths for a number of common system problems. You may modify the existing rules, or create new rules for situations unique to your environment.

It is strongly recommended that any pre-packaged documents are copied and then renamed prior to modification so that future version upgrades do not overwrite the modifications.

The Analyst file structure is made up of three sections; Rule Configuration Section (CONFIG), Rule Definitions Section (RULE_DEF) and Message Log Section (MSG_TEXT).

Analyst Rules can be created through an Analyst document in the Windows Client as illustrated below, or you could use a text file with IRCMD.

The above example shows a very simple Analyst illustrating the three sections.

SECTION CONFIG - this section sets the overall parameters for the Analyst. In this case the MAX-SIZE statement sets the maximum amount of Problem Output to be kept to 0.50MB.

SECTION RULE-DEF - this section defines the Analyst rules. In this case there is a single rule named 'CpuBusy' and it is a PRIMARY rule. The RECORD statement nominates NTCPU as the record to be used and a Where Clause is added to filter the data for CPU BUSY greater than 80%. The REFRESH statement sets the Analyst to check for this rule every 60 seconds. The ACTION sub-section specifies the action to take when the Analyst detects that the rule has been broken, in this case it will LOG message number 0001 immediately that the detection is made.

SECTION MSG_TEXT - this section provides details of any messages that are to be generated from the ACTION statement. In this example, the text for message number 0001 is specified.

Provide feedback on this article