Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
ovt Bronze

Alarm summarization rules


Could anybody point me to a good document explaining alarms summarization rules and all the relevant parameters like AlarmThrottle. Cisco 4.x documetation is very poor here.

Thank you.

Cisco Employee

Re: Alarm summarization rules

Have you read through the following section?

This is about as detailed as it gets.

If you have a specific question after reading through this section then I can try to answer it for you.

ovt Bronze

Re: Alarm summarization rules

Thanks for the replay.

Of course, I have read this section and still have a lot of questions.

So far as I understood there are at least (!) 5 summarization models:

1. The 1st one: AlarmThrottle (when the value is *not* FireOnce) + ThrottleInterval + SummaryKey + ChokeThreshold. This model is described pretty well.

The sequence of alarms should be either "FireAll -> Summarize -> GlobalSummarize" or "FireAll -> GlobalSummarize" or "Summarize -> GlobalSummarize".


2. The 2nd one: AlarmThrottle (when the value *is* FireOnce) + ThrottleInterval + SummaryKey + ChokeThreshold. There are some questions here:

- What does it mean: "You cannot use AlarmThrottle FireOnce with ChokeThreshold X (where X is not ANY.)"? Does it mean that ChokeThreshold is ignored?

- What does it mean: "You cannot use AlarmThrottle FireOnce with signatures that use StorageKey xxxx."? I see that Atomic.* signatures *do* *have* StorageKey xxxx *and* AlarmThrottle = FireOnce!

- What is the role of the SummaryKey here?

3. The 3rd one: MinHits *without* the AlarmInterval.

So far as I understood this means "Send 1 alarm when a signature fires MinHits times". Correct?

4. The 4th one: MinHits *with* the AlarmInterval.

This is documented as "Send 1 alarm when a signature fires MinHits times for the ThrottleInterval". Is this a misprint? If not, what is the role of the AlarmInterval here?

5. The 5th one is used by Sweep.* engines: "Unique + ResetAfterIdle + AlarmDelayTimer (sometimes?)". This is not documented at all.

There are lots of other questions, for example: are the models (1,2) and (3,4) mutually exclusive?

Hope you will help me,

Oleg Tipisov,



New Member

Re: Alarm summarization rules

#1. is correct.

#2. has typo. StorageKey should read as SummaryKey.

You can use ChokeThreshold here, and it will take you

from FireOnce->GlobalSummary when you have exceeded

"ChokeThreshold" number of alert for that sig in the


Looks like the DOC writers were mixed up with some

of the old 3.x techniques here.

#3. Yes. The MinHits is counted on the SummaryKey

#4. Another typo.

Should be:

"Send 1 alarm when the signature fires MinHits times

within a sliding window timespan of AlarmInterval.

ThrottleInterval is not used here.


Not really summary here.

For the exclusive models, you cannot use AlarmInterval (the timed MinHits) with a summary

mode other than FireAll.

New Member

Re: Alarm summarization rules

Can I still use chokethreshold for the SWEEP engine signatures(e.g.3030) on the top of 'resetafteridle (+unique)'?

CreatePlease to create content