Duplicate alert created - Alert clustering definition

Madhan27 · a month ago

HI Community,

I would appreciate your guidance in the Event Management space. I triggered 3 alerts with the same node. It was tagging with alert clustering tag "Groups alert with same node". And 3 alerts were grouped and the earliest and highest priority alert will becomes the parent alert and incident is creating for that.

Along with the 3 incidents, Some how it is creating an 4 alert because of the grouping and making as an primary alert and incident was creating for this.

So in this group we can see two incidents created. Once incident for the secondary and one for the primary.

ASK: I don't want the extra primary alert to be created other than the alerts which I created.

TIA
#Eventmanagement #AlertGrouping #ClusteringDefinitions #ITOM

Mannapuram · a month ago

When the grouping happens, it's considered as the earliest than the alerts. You can add a condition, the Incident is created only for the direct latest alert but not for the type of Group.

Madhan27 · 4 weeks ago

@Mannapuram where do we have that condition to add? I don't see in the alert management rules?

Mannapuram · 4 weeks ago

@Madhan27 If you don't want two incidents created for the Secondary and Primary, there is a property 'evt_mgmt.avoid_int_enabled', which disables the Incident creation on the secondary since an incident already exists for the primary alert.

Madhan27 · 4 weeks ago

@Mannapuram its already enabled. Before it used to create incident for every alert from primary and secondary. Now it’s disabled creating INC for the secondary group but leaving the first created alert from that group. The target is to eliminate the shell created primary for that group.