Alert correlation rule

Annie11 · ‎06-20-2019

Hi All

I have created an alert correlation rule for one of the event to avoid multiple alerts and INC creation for an outage scenario for a time difference of 10 min.

Basically my requirement here is within 10 min all the events should be correlated in the alert. and after 10 mins new Alert & INC should be created and previous one should be closed .

PFB screenshot , even after keeping the time difference for 10 mins , i am not able to achieve my requirement as all the events are getting correlated to this.

Can anyone pls explain me about the time difference & No relationship option here.

Nazim Ansari2 · ‎01-21-2020

This is really a genuine scenario in case of production outages or unknown issues with the SCOM tool or applications getting monitored.

Here you need to define the pattern for primary and secondary alerts, if you want to group or correlate alerts based on the CI then choose Same CI or Node in the relationship type in the Alert Correlation rules and keep the same Type in primary and secondary.

In your case, if you wish to correlation multiple alerts based on the same CI then rules would be:

Primary: Health Service Heartbeat failure

Secondary: Health Service Heartbeat failure

Relationship Type: Same Ci or Node

Time difference in Minutes: 10 minutes

if you want to correlate based on the Type then put something Type contains **** matching pattern.

Hope this help to proceed further.

View solution in original post

Michael Skov2 · ‎06-21-2019

Well, you have hardcoded which alert is the seconday alert, that will always just be one.

Do you have a speciel requirement to which is parent, and which is secondary?

Annie11 · ‎06-24-2019

Do you have a speciel requirement to which is parent, and which is secondary? :

Hi Michael , thanks for responding to my query.

No i dont have such requirement for parent and secondary . Can you please guide me as regarding 2 options for the same form . relationship to be choose and time difference one

Michael Skov2 · ‎06-24-2019

Normally when you use the relationship field, it is because you want to leverage the build-in relationships. For instance the VMware Host/VMware Virtual Machine relationship. If the host goes down, you can correlate the alerts from the vms.

So, in which case do you want the alerts to be correlated?

Annie11 · ‎06-24-2019

My requirement is to avoid flood situation of multiple alerts and INC creation situation , so basically one needs to be the primary alerts for a time duration of 10 min and rest all events which is triggered from SCOM needs to be correlated to the parent alert.