Clear event to close the alert.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-16-2018 11:26 AM
We have a scenario where if the monitoring system sends critical incident it should be assigned to Group A, if warning event is received it should be assigned to Group B. This can be achieved by event rules , the tricky part is how to close the alert when source i.e monitoring system sends a clear event ? As event rules are severity driven the severity of clear events differs
Has anyone implemented something alike before?
- Labels:
-
Event Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-16-2018 12:24 PM
Will the clear event not have the same Message Key as the original event? If it does, you should be good, automatically.
Steve

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2018 07:22 AM
This is the tricky part Steve. As we need two separate incidents we included severity in the message key. When clear comes in, the value of severity changes. So does the message key.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2018 07:34 AM
Honestly you seem to have a process issue here. There is many ways to do this but incident management really should be the one to decide when to escalate and then it should pull it from CI support group attributes. Either way this won't work unless you correlate the 2 alerts together so when the clear comes in it would cancel them both out but since you are using severity that will actually not work at all (as the message key would be changed).
I would suggest you take a step back and remove severity from the message key and work on a better way to open up a separate incident or have the incident be re-assigned to a new team (which should be the way it works otherwise you are doubling up incident generation for no reason).

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎10-17-2018 08:21 AM
I understand your point here but our CMDB is not mature enough to decide the assignment group based on CI and link the CI support group.
There is no other attribute that source embeds that can actually used to differentiate the event.
Note: We are transforming and escalating the same event as the severity of event escalates, I guess it's just a different process altogether. We want to rely on monitoring tool more when comes to escalation.
Want to understand more on re-assignation piece, we don't get the assignment group from Source, we compose it as part of event rules. Are you proposing to have two rules, one for warning one for critical of same order and same message key ?