When Time Over Threshold alarms are sent to the hub they are immediately raised as alarms instead of going through the TOT rules. Why are only my Time Over Threshold alarms not working?
Any UIM version
These Time Over Threshold, (or TOT), alarms can fail if the UIM environment is configured to bypass the alarm_enrichment probe, which is where alarms are evaluated as potential TOT events.
By default, alarms arrive at the primary hub and are placed into the "alarm" queue. The alarm_enrichment pulls alarms out of that queue, processes them and places them into the "alarm2" queue for the nas probe to work with. For various reasons, the nas probe can be configured to pull alarms directly from the "alarm" queue, bypassing the alarm_enrichment probe and therefore bypassing the TOT evaluation.
To resolve this, use the default queueing configuration for alarm flow: alarm queue > alarm_enrichment > alarm2 queue > nas
Open the nas probe Raw Config and check that under 'setup' the following keys are set:
enrichment_subject = alarm
subject = alarm2