Event Management: Keeping clear event from closing alert when alert has associated incident
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-27-2023 12:50 PM
If I have an active incident associated with an alert, I don't want clear events closing the alert. Otherwise, if there is no active incident, the clear event should go ahead and close the alert. Is there anyway to achieve this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-27-2023 09:28 PM
Hi Chris
if i see this - Clear event comes when Threshold breach is not detected on node and this is observed in next polling cycle .
Incident active - If Clear event is closing the ALERT it should do .in last polling cycle there was threshold breach thats why incident was active .
This behavior is OOTB available.
===========
The first thing you need to understand that if the monitoring source is sending a clear message then what matters is that the message_key that is generated matches on the alert that is already there and it should auto close it. Out of the box if you aren't setting a message key it will concatenate Source, Type, Node, Resource, and Metric Name to make one. The second thing that can be done is if it doesn't typically send a clear but resets back to info or something and there is another attribute which dictates that it's resolved then you can have the monitoring endpoint set the Resolution_state attribute on the event to Closing and this will auto close the alert it matches too.
===========
Regards
RP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-30-2023 05:17 AM
I read the response, and I don't see an answer to the question. What I'm asking is if there is a way to keep a clear event from automatically closing an alert which has an associated active incident. If an incident has been created and associated to the alert, I need it to be researched for root cause, even if the monitoring system subsequently sends a clear event. However, if the alert does not have an active incident, then I want to maintain the existing behavior where a clear event will auto close the alert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-30-2023 05:25 AM
Maybe some more clarification would help. If an alert which has an active incident is closed, then the associated incident is also resolved. So if I have a situation where an event rule created an alert, and an alert rule triggered creation of an associated incident. That incident gets assigned so that someone can research the issue. If a clear event comes in matching the alert, because it has an associated incident which I still need to be researched...I don't want the clear event to auto close the alert which in turn resolves the incident. I need the incident to remain active.
However, if an event triggered an event rule and created an alert, but no alert rule generated an associated incident, then I am fine with a matching clear event auto closing the alert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎03-30-2023 07:13 AM
In My view Incident is Break Fix and make the services UP....for detailed RCA you can have a Problem Ticket ...This is process stand point...
Technically - You can stop this closure on Clear Event by using changes in OOTB codes.
Regards
RP
