dirscan file size alert is showing "less than" when "greater than" is selected in the configuration
Article ID: 438813
Updated On:
Products
Issue/Introduction
You have set up a dirscan profile to monitor when a file exceeds a certain size.
You have set the threshold for "greater than" the desired size, e.g. > 20kb.
However, alarms are coming only when the file is less than 20kb.
Environment
DX UIM - Any Version
dirscan probe - any version
Cause
Unlike many other UIM probes that use "Threshold" logic (where you define the error state), the dirscan probe uses Expected Value logic.
In dirscan, you define the normal/healthy state of the file. An alarm is generated only when the actual condition of the file deviates from the expectation you configured.
Example of Misconfiguration:
User Intent: Alarm when the file is larger than 20 KB.
The above screenshot represents an incorrect configuration: Expected Value is set to > 20Kb.
This means that alerts will be sent if the file is not greater than 20Kb.
Resolution
To alarm when a file exceeds a cetain size, follow these steps:
- Open the dirscan probe configuration.
- Select the Profile monitoring the specific file or directory.
- Locate the Size monitoring section.
- Set the Condition/Operator to: < (Less than).
- Set the Value to the filesize you do not want to exceed.
Expected Result
Normal State: The file is less than the defined size. This matches your "Expected Value," so no alarm is sent.
Alarm State: The file grows beyond the defined size. This violates the "Expected Value"), triggering the alarm.
Feedback
