Event Management - Flood control of Events from a event source.

Nataraj Gedela
Tera Contributor

Sometimes there is flood of events from a event source which is leading to creation of 10K+ alerts and due to alert correlation rules all the alerts are getting grouped and only one incident record is getting created.

What configuration can be done in event management such that after certain number of alerts are created under alert correlation rule, further creation of alerts should be stopped for a certain period of time?

Also if there is a situation like 10k+ alerts got correlated under a single incident, will there be any impact on system performance.

6 REPLIES 6

mohdarbaz
Kilo Guru

Hi @Nataraj Gedela ,

1. You can use 'alert suppression rule' to prevent the creation of new alerts after a certain threshold is reached you can give conditions based on which alerts should be suppressed (e.g., after a certain number of alerts are created).

 

2. When a 10k alerts are correlated under a single incident, yes, it can impact system performance. To mitigate this, you can:

-Optimize your correlation rules to limit the number of alerts grouped together.
-Implement alert suppression and rate limiting to reduce the overall number of alerts.
-Monitor system performance and adjust configurations as needed.

 

If my response helped, please mark it correct/helpful and close the thread so that it benefits future readers.

 

Regards,

Mohd Arbaz.

Thank you for your response Mohdarbazma !!
I couldn't locate "alert suppression rule" module. Please let me know if there is any documentation link or KB available to make this configuration.

If you are mentioning about "threshold" option in event rule, this option helps us to start creating alerts after certain limit of events are generated. We want the other way, where alerts are to be not created after certain alerts are created in specific time.


@Nataraj Gedela ,'alert supression rule' is not OOTB. Instead check this article. Hope this helps.

Set a threshold to suppress alert generation

 

Regards,

Mohd Arbaz.

 

Jeffreys Quinti
Tera Contributor

Hi Nataraj,

 

You could setup 'API Rate Limit' to protect your instance from event floods. You can pair it with a business rule that opens an alert when the rate limite threshold is reached so you can take action.

 

Hope it helps