Consolidation Rule Fun!
So we want to monitor for a particular event that occurs ten times in a twenty-four hours raise an alert.
I created the alert rule and the consolidation rule and I set it for 30 seconds for testing. It worked. I changed the time for consolidation from 30 seconds to 84,000 seconds ran the test again and got no alerts.
I suspect there is a hard limit to the time an event must occur in seconds on a consolidation rule.
I will have to open a case with MSFT and figure this one out.
Marcus Oh told me to stop being lazy and script a solution, but I have to fly him out to California. Any one want to donate to the Fly Marcus Out Fund?
The way I see it, and from my sources at MSFT, the way the consolidation rule is doing things is like so:
Event rule says: Event # with repeat count > 10
Consolidation rule says: Event # within time period of X
So if you set the time period to be 5 minutes, then the consolidation rule will start counting at the first event, and if at the end of the 5 minutes if there were more then 10 events MOM will alert you. Ideally you would want to be alerted after 10 events within the 5 minute time frame, however my understanding is that MOM will only alert you if your conditions were matched at the end of the time frame from the first event generated.