cancel
Showing results for 
Search instead for 
Did you mean: 

Impact of changing MAX SIZE value in analysts

Highlighted

Re: Impact of changing MAX SIZE value in analysts

@TushR 

Ok I understand your scenario.. but generally what our customers do is simply alert on the summary record at 10s as good enough as it is timely enough for a decline scenario but I agree does not detect back-to-back declines.. but you script itself as @Leon_Arens  mentioned would have timing issues in getting exactly what you want as well.

 

OK so the "SORT DESC LOGTIME" and knowing Analysts 'should' process the transactions incrementally in the order presented is the only thing that makes this different than the standard summary though as it resets the counter on an approval.   You still REALLY should have a limit clause (even if high for 2x your refresh interval) and have your lookback timeframe for TRANDET also only slightly buffered.. otherwise it could be searching through 10s of thousands of transactions.  Otherwise I get what you are trying to do and cannot think of a way to do it in summary at this granular of a level but usually 10s Summary Interval DENYCNT & DENY% usually work for most.

 

 


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Solution Architect – MSci. PA, CISSP, ITIL.
Highlighted
05 Base Camper

Re: Impact of changing MAX SIZE value in analysts

If you are curious of how many records the rule is processing every 30 seconds you could add the following bolded lines.

You can then add the following highlighted code to see if it reduces the records processes from many(history) to just the records for the trans that occurred in the last 30 seconds. 

Note: if the date restriction in the where clause reduced the records processed then this could also reduce the amount of memory the analyst uses.

 

Note: I have not tested this logic because we do not have the TSV product at the current time but are concidering it. So if I have a typo please correct it.

 

 

SECTION CONFIG
  MAX_SIZE 5.0 MB 
NUMERIC G_RECs_processed [0] := 0 NUMERIC TXNCOUNT [0] := 0 NUMERIC ALERTFLAG [0] := 1 END_SECTION SECTION RULE_DEF ! Get all records from TRANDET record and set counter ! increment the counter if it is declined response code and reset the counter if approve response code RULE TRAN_COUNT PRIMARY RECORD TRANDET WHERE BIN = "402872"
AND (SRCNAME="NSX7DRP2" OR SRCNAME="NSX7DRA2")
AND LOGTIME >  ( CurrentTime - 30 seconds ) REFRESH 30 SECONDS NODE ( #NI\BASE24-active ) SORT DESC LOGTIME !Increment the counter when the transaction is declined IF @TRANDET.RESPCODE NOT IN {"00","01","000","001","076","206"} SET TXNCOUNT := TXNCOUNT + 1 END_IF !Reset the counter when the transaction is approved IF @TRANDET.RESPCODE = "00" OR @TRANDET.RESPCODE = "01" OR @TRANDET.RESPCODE = "000" OR @TRANDET.RESPCODE = "001" SET TXNCOUNT := 0 END_IF ACTION
SET G_RECs_processed := G_RECs_processed + 1
END_ACTION
END_RULE !Check if the counter value is greater than the threshold and if the send alert flag is on (1) !If the condition is true, set the alert flag to off (0) to avoid the sending of multiple alerts RULE SEND_ALERT PRIMARY   STRING MsgText RECORD PNODES WHERE ALL REFRESH 30 SECONDS NODE ( #NI\ConsDecAnalystNode ) IF TXNCOUNT > 9 AND ALERTFLAG = 1 LOG SNMPTRAP 0101 VERSION v1 HOST 10.129.88.82 PORT 162 PRIORITY CRITICAL IMMEDIATELY EXEC #DISPMAN 0100 IMMEDIATELY SET ALERTFLAG := 0 SET TXNCOUNT := 0 END_IF  ACTION
SET MsgText := subst ("@G_RECs_processed@ records processed at ^timestamp")
EXEC #DISPMAN 00200 IMMEDIATELY
END_ACTION
END_RULE !Rule to reset the send alert flag to on (1) and reset the counter to 0 after x seconds/minutes !x seconds/minutes refresh has to match the refresh interval in the rule above RULE RESET_ALERT_FLAG PRIMARY RECORD PNODES WHERE ALL REFRESH 30 SECONDS NODE ( #NI\BASE24-active ) ACTION SET ALERTFLAG := 1 !SET TXNCOUNT := 0 END_ACTION END_RULE END_SECTION SECTION MSG_TEXT MSG 0100 "DISPREQ CMD_SRC 402872ConsDenial MSG_CODE_NUM 100 MSG_DEST ConsDecGroup MSG_TITLE Consecutive BIN 402872 decline @TXNCOUNT@ txns MSG_TEXT Consecutive BIN 402872 decline @TXNCOUNT@ txns." MSG 0101 "Consecutive BIN 402872 decline more than 10 transactions"   MSG 00200 "DISPREQ CMD_SRC 402872ConsDenial MSG_CODE_NUM 100 MSG_DEST ConsDecGroup MSG_TITLE @MsgText@ MSG_TEXT @MsgText@"
END_SECTION

 

 

Highlighted
05 Base Camper

Re: Impact of changing MAX SIZE value in analysts

If you can verify that the TRAN_COUNT rule only gets the transactions for the last 30 seconds and they are processed in the order they are received (timestamp always increasing) then I believe the following changes to the analyst will address the issue of missing consecutive declined transactions over consecutive 30 second intervals.  This logic should capture the first occurrence of 10+ consecutive decline transactions within a 30 second window.   If 10+ consecutive transactions occur more than once in a 30 second window, this will not alarm on them until the next 30 second interval.  if you want it to alert on every occurrence of 10+ declined transactions, just comment out the "SET ALERTFLAG := 0" and you could get rid of the "RESET_ALERT_FLAG" rule.

 

SECTION CONFIG
  MAX_SIZE 5.0 MB 
  NUMERIC TXNCOUNT [0] := 0
  NUMERIC ALERTFLAG [0] := 1
END_SECTION
 
SECTION RULE_DEF

! Get all records from TRANDET record and set counter 
! increment the counter if it is declined response code and reset the counter if approve response code

RULE TRAN_COUNT PRIMARY

  RECORD TRANDET
  WHERE     BIN      = "402872" 
        AND (SRCNAME = "NSX7DRP2" OR SRCNAME = "NSX7DRA2")
        AND LOGTIME >  ( CurrentTime - 30 seconds )
  REFRESH 30 SECONDS
  NODE ( #NI\BASE24-active ) 
  SORT DESC LOGTIME 
 
!Increment the counter when the transaction is declined
 
  IF @TRANDET.RESPCODE NOT IN {"00","01","000","001","076","206"}
        SET TXNCOUNT := TXNCOUNT + 1                 
  END_IF

!Check if the counter value is greater than the threshold and if the send alert flag is on (1)
!If the condition is true, set the alert flag to off (0) to avoid the sending of multiple alerts

  IF TXNCOUNT > 9 AND ALERTFLAG = 1
        LOG 
        SNMPTRAP 0101
          VERSION v1
          HOST          10.129.88.82
          PORT          162
          PRIORITY      CRITICAL
          IMMEDIATELY
        EXEC          #DISPMAN 0100 IMMEDIATELY
        SET ALERTFLAG := 0
        SET TXNCOUNT := 0
  END_IF

!Reset the counter when the transaction is approved
  
  IF @TRANDET.RESPCODE = "00" OR @TRANDET.RESPCODE = "01" OR @TRANDET.RESPCODE = "000" OR @TRANDET.RESPCODE = "001"
        SET TXNCOUNT := 0
  END_IF
END_RULE

 
!Rule to reset the send alert flag to on (1) and reset the counter to 0 after x seconds/minutes 
!x seconds/minutes refresh has to match the refresh interval in the rule above
 
RULE RESET_ALERT_FLAG PRIMARY
 
  RECORD PNODES
  WHERE ALL
  REFRESH 30 SECONDS
  NODE ( #NI\BASE24-active ) 
 
  ACTION
        SET ALERTFLAG := 1
        !SET TXNCOUNT := 0
  END_ACTION
 
END_RULE
 
END_SECTION
 
SECTION MSG_TEXT
   MSG 0100  "DISPREQ CMD_SRC 402872ConsDenial MSG_CODE_NUM 100 MSG_DEST ConsDecGroup MSG_TITLE Consecutive BIN 402872 decline @TXNCOUNT@ txns MSG_TEXT Consecutive BIN 402872 decline @TXNCOUNT@ txns."
   MSG 0101  "Consecutive BIN 402872 decline more than 10 transactions"
END_SECTION