Alert correlation rule

Annie11 · ‎06-20-2019

Hi All

I have created an alert correlation rule for one of the event to avoid multiple alerts and INC creation for an outage scenario for a time difference of 10 min.

Basically my requirement here is within 10 min all the events should be correlated in the alert. and after 10 mins new Alert & INC should be created and previous one should be closed .

PFB screenshot , even after keeping the time difference for 10 mins , i am not able to achieve my requirement as all the events are getting correlated to this.

Can anyone pls explain me about the time difference & No relationship option here.

Nazim Ansari2 · ‎01-21-2020

This is really a genuine scenario in case of production outages or unknown issues with the SCOM tool or applications getting monitored.

Here you need to define the pattern for primary and secondary alerts, if you want to group or correlate alerts based on the CI then choose Same CI or Node in the relationship type in the Alert Correlation rules and keep the same Type in primary and secondary.

In your case, if you wish to correlation multiple alerts based on the same CI then rules would be:

Primary: Health Service Heartbeat failure

Secondary: Health Service Heartbeat failure

Relationship Type: Same Ci or Node

Time difference in Minutes: 10 minutes

if you want to correlate based on the Type then put something Type contains **** matching pattern.

Hope this help to proceed further.

View solution in original post

Michael Skov2 · ‎06-24-2019

That is not really a best practice. When you correlate, it is because the alerts are connected to each other. In case of an alert flood from SCOM, it doesnt necessarily mean they are all connected. Lets say you have an outage in a datacenter and you get 50 "Health Service Heartbeat Failure" alerts, but two of them are your Exchange servers, which are in another datacenter. In that case, the alerts from the Exchange servers should be correlated with the others.

I urge you to find connections/relations between the alerts when doing correlation. For instance, if you get "Host down" from a VMware Host, you will also they "VM down" from all the vms. In that case you could correlate the alerts.

I hope that makes sense.

Annie11 · ‎06-24-2019

For example . PFB screenshot for reference .

EVENT name : Health Service Heartbeat failure which is triggered from SCOM tool to Our SNOW instance

Requirement is : In case of an outage or production down issue , SCOM triggeres multiple events to SNOW which causes multiple alert and simultaneously multiple INC count in our INstance . So we want keeping a timer of 10 mins in this situation , all the events will be correlated to the first alert which was created , doing this will avoid multiple alert creation and INC creation .

Let me know from the screenshot if selecting these options will help me to take a control over this situation

Michael Skov2 · ‎06-24-2019

In this specific case, you are correlating ANY alert with Type "Health Service..." with the specific CI "pwdc...."

Nazim Ansari2 · ‎01-21-2020