- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2023 11:08 PM
Hi there.
I am a little confused about events, alerts and incidents relationships. I understand the difference between event and alert: an event doesn't always needs to end up with an alert, so false alarms can be filtered out. Also, several event can be grouped to one alert. But why do we have different entities for alerts and incidents? Why would you have alerts without an incident attached (given the fact that you can filter out the false positives already on the event level)? I understand how we can have incidents without alerts (eg. created by users when they call us or walk by), but what is the use-case for alerts without incidents?
Thank!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2023 04:20 AM
Well, I guess the correct answer to your first question is: It depends.
Your suggestion seems like a good approach, but this can vary greatly from customer to customer, it all depends on how they chosen to implement their process of handling such alerts/events.
As for your second question, the difference (in my opinion) is that incidents are related to IT and their process of handling customer cases. Such as malfunctioning devices and so on.
While the cases table is a far more generic table that could handle a whole lot of different customer needs (not only related to IT issues). It could also include HR, legal, facility and other departments queries.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-01-2023 11:36 PM
Hi,
There are many scenarios where an alert could be generated without an incident being triggered.
An incident is recorded when a user (usually) reports something that's not working as expected.
An alert could be generated without affecting any users (so they won't report on this).
For example, say you have a server with multiple hard drives that runs mirrored.
If one hard drive stops working, the server would probably generate an alert for the malfunctioning device, but since the server has additional drives that is working, the users will not notice any interruption, and the business can continue as usual.
Does this make it more clear?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2023 03:53 AM
Thanks for a very quick response!
So, if something bad happens affecting other employees, an event will be sent and an alert will be created, and the admin who will work on this alert, will create an incident from it, but will still keep using the alert form when diagnosing, documenting and resolving the problem, right? Because it has helpful information about flapping count, previous alerts with the same device, related alerts and stuff, and the incident form has much less of that. Right?
And what about the cases table? Is the difference between incidents and cases that the former are to communicate with internal users and the latter are for communication with external customers?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2023 04:20 AM
Well, I guess the correct answer to your first question is: It depends.
Your suggestion seems like a good approach, but this can vary greatly from customer to customer, it all depends on how they chosen to implement their process of handling such alerts/events.
As for your second question, the difference (in my opinion) is that incidents are related to IT and their process of handling customer cases. Such as malfunctioning devices and so on.
While the cases table is a far more generic table that could handle a whole lot of different customer needs (not only related to IT issues). It could also include HR, legal, facility and other departments queries.
