The number of enriched alerts created (or spawned) from a normalised alert is dependent on the number of matches that occur for an enrichment policy. For example, assume you defined two enrichment policies for a message channel:
• Policy 1: Adds the service to which a managed source belongs
• Policy 2: Adds the geographical location of the managed source
If a normalised alert matches two enrichment statements in Policy 1, two enriched alerts are created. If the two enriched alerts match two enrichment statements in Policy 2, two more enriched alerts are created. A total of four enriched alerts are then sent to the AlertServer.
To create only one enriched alert when a normalized alert matches two or more statements in a single enrichment policy, you can add a 'enrichrowcount1' parameter to the POWERpackTrans.cfg or the POWERpackTrans_mcname.cfg file to specify that only a single alert is spawned when a normalised alert matches two statements in a single enrichment policy; the variable mcname is the name of a message channel.
When the enrichrowcount1 parameter is added to the
• POWERpackTrans.cfg file, a single spawned alert is actioned against all message channels
• POWERpackTrans_mcname.cfg file, a single spawned alert is actioned on an individual message channel