Alerts are not being closed after a clear event!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-25-2018 05:21 PM
Hello Community.
I've created a event rule to filter incoming events and generate an alert when threshold is surpassed.
This is working as expected, however a desire funcionality is that, if we receive a clear event (Event with clear status), created alert should be closed automatically.
However this is not working, auto-clousure with an "Clear Event" is present only for all other alerts that are not involved with the event rule.
Also, the clear event is not being showed at alert's event related list, despite Message Key is the same for all events.
Event Rule's "Alert close Operator" was set to "None" cause other option is just "Flapping", and we are not using that Alert state.
Does the system uses anything else than Message Key to relate events to an alert?
Where (Business Rule, scheduled job) is the code of alert creation using an event?
Any comment would be appreciate.
Best Regards.
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-27-2018 11:26 AM
The creation and handling of Events happens in multiple locations. The 2 I know of (and that may be all there are) are the Event Rules and Event Field Mapping.
What is the value you are getting in the 'Severity' field of the Event? If it is not one of - Clear, Info, Warning, Minor, Major, or Critical, you'll need to use an Event Field Mapping configuration to map the incoming value(s) to one of the expected values.
I don't know for sure, but I would assume that the 'Source' and 'Source' instance are included in the relating of Events.
Steve
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-30-2018 02:07 PM
The event transformation to alerts is primarily driven by event rules and event field mappings which are driven by script includes and hidden java code and Message key acts as the primary key for events.
We are encountering the same issue with clear events , though the state changes to close when clear event is received via. source but severity doesn't.
We already tried event field mappings, doesn't hold good for clear events. Just curious if you were able to resolve this and how?
Regards, Ayush
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-04-2021 09:09 AM
I am experiencing a similar problem. Events, with the same Message key, and for which an Alert is open, are joined by a new "Clear" Event (Severity = "0"). However, the Clear Event does not Close the related Alert. Does anyone have an idea what could be driving this, or where in the platform I should be looking for an answer?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-17-2021 07:45 PM
I had the some problem with alerts not being closed by a clear event.
In my case the event rule, which matched both raising and clearing events, was setting the severity of the alert to Critical in the "Transform and Compose Alert Output" section.
If the event rule matching the clearing event sets the severity to something other than Clear, the alert does not seem to get closed.
You need to have a different event rule for the clearing event that does not set the severity.
