i'm getting a little tired of this but no matter what i do in every way that i'm configuring envision to fire up an alert of X precents incresing of events i'm getting thousends of events.
let's take a simple example:
create a correlation with this statment: device group - checkpoint (provides lots of data)
treshhold - increase in 50% of hour baseline (also tried avg)
eventid * (getting all events form the devices)
this generates about 5000 events a week =/
now come to think of it - i've tried with specific eventid - same result
what i've noticed it that no metter what you choose as treshold envision will fire up an alert every one~three seconds which makes me think that instead of generate an alert once an hour it just compares every second the relative one hour/minute in the parelel week hence - sunday 6:am vs last sunday 6:am and the 6:00:01 vs 6:00:01 and so on..
which causing a lot of false posetives (not to mention killing my clients mailboxes.. =P )
any idea about this?