Impact of changing MAX SIZE value in analysts

ChristopherS · ‎09-24-2020

Ok I understand your scenario.. but generally what our customers do is simply alert on the summary record at 10s as good enough as it is timely enough for a decline scenario but I agree does not detect back-to-back declines.. but you script itself as @Leon_Arens mentioned would have timing issues in getting exactly what you want as well.

OK so the "SORT DESC LOGTIME" and knowing Analysts 'should' process the transactions incrementally in the order presented is the only thing that makes this different than the standard summary though as it resets the counter on an approval. You still REALLY should have a limit clause (even if high for 2x your refresh interval) and have your lookback timeframe for TRANDET also only slightly buffered.. otherwise it could be searching through 10s of thousands of transactions. Otherwise I get what you are trying to do and cannot think of a way to do it in summary at this granular of a level but usually 10s Summary Interval DENYCNT & DENY% usually work for most.

If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Solution Architect – MSci. PA, CISSP, ITIL.

Leon_Arens · ‎09-24-2020

If you are curious of how many records the rule is processing every 30 seconds you could add the following bolded lines.

You can then add the following highlighted code to see if it reduces the records processes from many(history) to just the records for the trans that occurred in the last 30 seconds.

Note: if the date restriction in the where clause reduced the records processed then this could also reduce the amount of memory the analyst uses.

Note: I have not tested this logic because we do not have the TSV product at the current time but are concidering it. So if I have a typo please correct it.

SECTION CONFIG
  MAX_SIZE 5.0 MB 
  NUMERIC G_RECs_processed [0] := 0 
  NUMERIC TXNCOUNT [0] := 0
  NUMERIC ALERTFLAG [0] := 1
END_SECTION
 
SECTION RULE_DEF

! Get all records from TRANDET record and set counter 
! increment the counter if it is declined response code and reset the counter if approve response code

RULE TRAN_COUNT PRIMARY

  RECORD TRANDET
  WHERE      BIN    = "402872" 
        AND (SRCNAME="NSX7DRP2" OR SRCNAME="NSX7DRA2")
        AND LOGTIME >  ( CurrentTime - 30 seconds )
  REFRESH 30 SECONDS
  NODE ( #NI\BASE24-active ) 
  SORT DESC LOGTIME 
 
!Increment the counter when the transaction is declined
 
  IF @TRANDET.RESPCODE NOT IN {"00","01","000","001","076","206"}
        SET TXNCOUNT := TXNCOUNT + 1                 
  END_IF
 
!Reset the counter when the transaction is approved
  
  IF @TRANDET.RESPCODE = "00" OR @TRANDET.RESPCODE = "01" OR @TRANDET.RESPCODE = "000" OR @TRANDET.RESPCODE = "001"
        SET TXNCOUNT := 0
  END_IF
  ACTION
        SET G_RECs_processed := G_RECs_processed + 1
  END_ACTION
END_RULE


!Check if the counter value is greater than the threshold and if the send alert flag is on (1)
!If the condition is true, set the alert flag to off (0) to avoid the sending of multiple alerts

RULE SEND_ALERT PRIMARY
  STRING MsgText
  RECORD PNODES
  WHERE ALL
  REFRESH 30 SECONDS
  NODE ( #NI\ConsDecAnalystNode )

  IF TXNCOUNT > 9 AND ALERTFLAG = 1
        LOG 
        SNMPTRAP 0101
          VERSION v1
          HOST          10.129.88.82
          PORT          162
          PRIORITY      CRITICAL
          IMMEDIATELY
        EXEC          #DISPMAN 0100 IMMEDIATELY
        SET ALERTFLAG := 0
        SET TXNCOUNT := 0
  END_IF
  ACTION
        SET MsgText := subst ("@G_RECs_processed@ records processed at ^timestamp")
        EXEC           #DISPMAN 00200 IMMEDIATELY
  END_ACTION 
END_RULE
 
 
!Rule to reset the send alert flag to on (1) and reset the counter to 0 after x seconds/minutes 
!x seconds/minutes refresh has to match the refresh interval in the rule above
 
RULE RESET_ALERT_FLAG PRIMARY
 
  RECORD PNODES
  WHERE ALL
  REFRESH 30 SECONDS
  NODE ( #NI\BASE24-active ) 
 
  ACTION
        SET ALERTFLAG := 1
        !SET TXNCOUNT := 0
  END_ACTION
 
END_RULE
 
END_SECTION
 
SECTION MSG_TEXT
   MSG 0100  "DISPREQ CMD_SRC 402872ConsDenial MSG_CODE_NUM 100 MSG_DEST ConsDecGroup MSG_TITLE Consecutive BIN 402872 decline @TXNCOUNT@ txns MSG_TEXT Consecutive BIN 402872 decline @TXNCOUNT@ txns."
   MSG 0101  "Consecutive BIN 402872 decline more than 10 transactions"
   MSG 00200 "DISPREQ CMD_SRC 402872ConsDenial MSG_CODE_NUM 100 MSG_DEST ConsDecGroup MSG_TITLE @MsgText@  MSG_TEXT @MsgText@"
END_SECTION

Leon_Arens · ‎09-24-2020

If you can verify that the TRAN_COUNT rule only gets the transactions for the last 30 seconds and they are processed in the order they are received (timestamp always increasing) then I believe the following changes to the analyst will address the issue of missing consecutive declined transactions over consecutive 30 second intervals. This logic should capture the first occurrence of 10+ consecutive decline transactions within a 30 second window. If 10+ consecutive transactions occur more than once in a 30 second window, this will not alarm on them until the next 30 second interval. if you want it to alert on every occurrence of 10+ declined transactions, just comment out the "SET ALERTFLAG := 0" and you could get rid of the "RESET_ALERT_FLAG" rule.

SECTION CONFIG
  MAX_SIZE 5.0 MB 
  NUMERIC TXNCOUNT [0] := 0
  NUMERIC ALERTFLAG [0] := 1
END_SECTION
 
SECTION RULE_DEF

! Get all records from TRANDET record and set counter 
! increment the counter if it is declined response code and reset the counter if approve response code

RULE TRAN_COUNT PRIMARY

  RECORD TRANDET
  WHERE     BIN      = "402872" 
        AND (SRCNAME = "NSX7DRP2" OR SRCNAME = "NSX7DRA2")
        AND LOGTIME >  ( CurrentTime - 30 seconds )
  REFRESH 30 SECONDS
  NODE ( #NI\BASE24-active ) 
  SORT DESC LOGTIME 
 
!Increment the counter when the transaction is declined
 
  IF @TRANDET.RESPCODE NOT IN {"00","01","000","001","076","206"}
        SET TXNCOUNT := TXNCOUNT + 1                 
  END_IF

!Check if the counter value is greater than the threshold and if the send alert flag is on (1)
!If the condition is true, set the alert flag to off (0) to avoid the sending of multiple alerts

  IF TXNCOUNT > 9 AND ALERTFLAG = 1
        LOG 
        SNMPTRAP 0101
          VERSION v1
          HOST          10.129.88.82
          PORT          162
          PRIORITY      CRITICAL
          IMMEDIATELY
        EXEC          #DISPMAN 0100 IMMEDIATELY
        SET ALERTFLAG := 0
        SET TXNCOUNT := 0
  END_IF

!Reset the counter when the transaction is approved
  
  IF @TRANDET.RESPCODE = "00" OR @TRANDET.RESPCODE = "01" OR @TRANDET.RESPCODE = "000" OR @TRANDET.RESPCODE = "001"
        SET TXNCOUNT := 0
  END_IF
END_RULE

 
!Rule to reset the send alert flag to on (1) and reset the counter to 0 after x seconds/minutes 
!x seconds/minutes refresh has to match the refresh interval in the rule above
 
RULE RESET_ALERT_FLAG PRIMARY
 
  RECORD PNODES
  WHERE ALL
  REFRESH 30 SECONDS
  NODE ( #NI\BASE24-active ) 
 
  ACTION
        SET ALERTFLAG := 1
        !SET TXNCOUNT := 0
  END_ACTION
 
END_RULE
 
END_SECTION
 
SECTION MSG_TEXT
   MSG 0100  "DISPREQ CMD_SRC 402872ConsDenial MSG_CODE_NUM 100 MSG_DEST ConsDecGroup MSG_TITLE Consecutive BIN 402872 decline @TXNCOUNT@ txns MSG_TEXT Consecutive BIN 402872 decline @TXNCOUNT@ txns."
   MSG 0101  "Consecutive BIN 402872 decline more than 10 transactions"
END_SECTION

Re: Impact of changing MAX SIZE value in analysts

Re: Impact of changing MAX SIZE value in analysts

Re: Impact of changing MAX SIZE value in analysts

IR Forums