Configuring the scheduler for a data collection and analysis rule

For a data collection and analysis rule to run, you must create a scheduler for it.

The scheduler makes SQL queries to specified storage partitions with the interval and search depth configured in the rule, and then converts the SQL query results into base events, which it then sends to the correlator.

SQL query results converted to base events are not stored in the storage.

For the scheduler to work correctly, you must configure the link between the data collection and analysis rule, the storage, and the correlators in the Resources → Data collection and analysis section.

To manage this section, you need one of the following roles: General administrator, Tenant administrator, Tier 2 analyst, Access to shared resources, Manage shared resources.

The schedulers are arranged in the table by the date of their last launch. You can sort the data in columns in ascending or descending order by clicking the down arrow () icon in the column heading.

Available columns of the table of schedulers:

• Rule name is the name of the data collection and analysis rule for which you created the scheduler.
• Tenant name is the name of the tenant to which the data collection and analysis rule belongs.
• Status is the status of the scheduler. The following values are possible:
  • Enabled means the scheduler is running, and the data collection and analysis rule will be started in accordance with the specified schedule.
  • Disabled means the scheduler is not running.

    This is the default status of a newly created scheduler. For the scheduler to run, it must be Enabled.

• The scheduler finished at is the last time the scheduler's data collection and analysis rule was started.
• Rule run status is the status with which the scheduler has finished. The following values are possible:
  • Ok means the scheduler finished without errors, the rule was started.
  • Unknown means the scheduler was Enabled and its status is currently unknown. The Unknown status is displayed if you have linked storages and correlators on the corresponding tabs and Enabled the scheduler, but have not yet started it.
  • Stopped means the scheduler is stopped, the rule is not running.
  • Error means the scheduler has finished, and the rule was completed with an error.
• Last error lists errors (if any) that occurred during the execution of the data collection and analysis rule.

Failure to send events to the configured correlator does not constitute an error.

You can use the toolbar in the upper part of the table to perform actions on schedulers.

To edit the scheduler, click the corresponding line in the table.

Available scheduler settings for data collection and analysis rules are described below.

General tab

On this tab you can:

• Enable or disable the scheduler using a toggle switch.

  If the toggle switch is enabled, the data collection and analysis rule runs in accordance with the schedule configured in its settings.

• Edit the following settings of the data collection and analysis rule:
  • Name
  • Query interval
  • Depth
  • Sql
  • Description
  • Mapping

The Linked storages tab

On this tab you need to specify the storage to which the scheduler will send SQL queries.

To specify a storage:

1. Click the Link button in the toolbar.
2. This opens a window; in that window, specify the name of the storage to which you want to add the link, as well as the name of the section of the selected storage.

   You can select only one storage, but multiple sections of that storage.

3. Click Add.

The link is created and displayed in the table on the Linked storages tab.

If necessary, you can remove the links by selecting the check boxes in the relevant rows of the table and clicking the Unlink selected button.

The Linked correlators tab

On this tab, you must add correlators for handling base events.

To add a correlator:

1. Click the Link button in the toolbar.
2. This opens a window; in that window, hover over the Correlator field.
3. In the displayed list of correlators, select check boxes next to the correlators you want to add.
4. Click Add.

The correlators are added and displayed in the table on the Linked correlators tab.

If necessary, you can remove the correlators by selecting the check boxes in the relevant rows of the table and clicking the Unlink selected button.

You can also view the result of the scheduler in the Core log; to do so, you must first configure the Debug mode in Core settings. To download the log, select the Resources → Active services in KUMA, then select the Core service and click the Log button.

Log records with scheduler results have the datamining scheduler prefix.

Page top