Event Management alert correlation question

Go to solution
Stacey Shapiro
Tera Expert

‎04-21-2022 10:44 AM

Looking to the community to get ideas on how you achieve alert correlation by location. For example: If a site loses network connectivity, we currently get alerts for the network equipment, ESX hosts and all the VMS that are down. This equates to about 15 to 20 alerts some of which are correlated through CMDB grouping which usually boils it down to 9ish alert groupings that the NOC would be creating incidents for. The grouping does not work the same every time in all locations and it still generates a few CMDB groups. Is there a clean way to correlate all the alerts in a single location within a time frame? I was looking at the tag based alert correlation engine as well as creating my own correlation rules but not sure how to get the rules to work off of a CI Location. 

Thanks in advance for sharing ideas. 

Labels:
0 Helpfuls
  • 1,940 Views
1 ACCEPTED SOLUTION

Go to solution
Rahul Priyadars
Giga Sage
Giga Sage

‎04-21-2022 11:19 PM

You may need to use some scripting for same.

This Blog may give you some idea.

https://community.servicenow.com/community?id=community_blog&sys_id=5b8a88b6db9f670011762183ca9619c7

Regards

RP

View solution in original post

5 REPLIES 5

Go to solution
Rahul Priyadars
Giga Sage
Giga Sage

‎04-21-2022 11:19 PM

You may need to use some scripting for same.

This Blog may give you some idea.

https://community.servicenow.com/community?id=community_blog&sys_id=5b8a88b6db9f670011762183ca9619c7

Regards

RP

Go to solution
Stacey Shapiro
Tera Expert
In response to Rahul Priyadars

‎04-25-2022 06:27 AM

Hi thanks for the reply. I have seen that post. Was hoping for additional ideas so if you know anymore please provide 🙂 Thank you!

0 Helpfuls

Go to solution
Rahul Priyadars
Giga Sage
Giga Sage
In response to Stacey Shapiro

‎04-25-2022 07:23 AM

So in Your CMDB a given CI has Location value set?

And It is set for all CI belonging to a Given Location?

Let Say Location A has alert bombardment and >500 alerts created in 10 Minutes.

1-Grab the First Alert and Fetch Host and from Host fetch the location using CMDB -

Let say LOC-A

2-Grab all other Alerts for LOC-A based on host and Mark Them as Secondary Alerts

3-Now Attach all secondary alerts to Primary Alert Identified in Step 1

Regards

RP

0 Helpfuls

Go to solution
GaneshSuresh
Giga Guru

‎07-24-2023 07:17 AM

Were you able to get this done Stacey? Any insights would be helpful!

0 Helpfuls