Hi Scott,
You will need to configure an Alert Correlation Rule to ensure that only the causal alert is classified as a primary alert and the symptomatic alerts are classified as secondary alerts. You begin by first determining the criteria for identifying the primary and secondary alerts. For example, if the alerts are bound to CIs you can use the Configuration item.Class related field to check if the alert's CI is an IP Router. You might then include the alert's Type or Description field in the Primary alert condition to further match the primary alert. In the Secondary alert condition, you could use the Configuration item.Class related field to check if the alert's CI is a Server (or relevant CI class), and again use other fields to ensure you'll correlate the correct alerts.
You can also leverage relationships between CIs in the CMDB (see example in Create an alert correlation rule), so provided Alerts are bound to CIs and the CIs are related (e.g. you're using Discovery and have dependency relationships in the CMDB) you can specify a Relationship type, and then choose the relevant Relationship (Hint: find the Router CI in the CMDB, check the dependency map, and hover over a relationship link e.g. Depends on: Used By).
Using the example above, you'd select Primary is Parent for the Relationship type and then choose Depends on::Used by as the Relationship.
You can also set the Time difference to limit the window in which the rule can be applied to alerts arriving (default is 60 minutes).
The Alert Correlation Rule ends up looking like this:
You can also extend the example above to cater to other CI classes - use the OR operator for the Configuration item.Class field in the Secondary Alert condition.
Now when an event arrives for the router and is followed within 60 minutes by another event for the Windows cluster (in this example), the Windows cluster alerts will be correlated to the router alert:
The final step is to create an Alert Action Rule and configure the filter condition to only create an Incident for an alert where the Role in Group field is set to Primary. You may also need to set the Order field to ensure the rule is triggered before other Alert Action Rules that may also create Incidents for alerts that are not using the Role in Group field.
An alternative to using Alert Correlation Rules is to use the Alert Aggregation feature in Event Management. This takes a machine-learning based approach to correlating alerts, using time-based analysis of alerts to create Automated alert groups and also CI relationships to create CMDB alert groups. This requires a dedicated MID Server to perform the processing and will require you to review and provide feedback on the initial grouping results so the learned patterns can be refined. Note that if you use this approach, you would still configure an Alert Action Rule as mentioned above.
Hope this helps.
Hi Scott,
You will need to configure an Alert Correlation Rule to ensure that only the causal alert is classified as a primary alert and the symptomatic alerts are classified as secondary alerts. You begin by first determining the criteria for identifying the primary and secondary alerts. For example, if the alerts are bound to CIs you can use the Configuration item.Class related field to check if the alert's CI is an IP Router. You might then include the alert's Type or Description field in the Primary alert condition to further match the primary alert. In the Secondary alert condition, you could use the Configuration item.Class related field to check if the alert's CI is a Server (or relevant CI class), and again use other fields to ensure you'll correlate the correct alerts.
You can also leverage relationships between CIs in the CMDB (see example in Create an alert correlation rule), so provided Alerts are bound to CIs and the CIs are related (e.g. you're using Discovery and have dependency relationships in the CMDB) you can specify a Relationship type, and then choose the relevant Relationship (Hint: find the Router CI in the CMDB, check the dependency map, and hover over a relationship link e.g. Depends on: Used By).
Using the example above, you'd select Primary is Parent for the Relationship type and then choose Depends on::Used by as the Relationship.
You can also set the Time difference to limit the window in which the rule can be applied to alerts arriving (default is 60 minutes).
The Alert Correlation Rule ends up looking like this:
You can also extend the example above to cater to other CI classes - use the OR operator for the Configuration item.Class field in the Secondary Alert condition.
Now when an event arrives for the router and is followed within 60 minutes by another event for the Windows cluster (in this example), the Windows cluster alerts will be correlated to the router alert:
The final step is to create an Alert Action Rule and configure the filter condition to only create an Incident for an alert where the Role in Group field is set to Primary. You may also need to set the Order field to ensure the rule is triggered before other Alert Action Rules that may also create Incidents for alerts that are not using the Role in Group field.
An alternative to using Alert Correlation Rules is to use the Alert Aggregation feature in Event Management. This takes a machine-learning based approach to correlating alerts, using time-based analysis of alerts to create Automated alert groups and also CI relationships to create CMDB alert groups. This requires a dedicated MID Server to perform the processing and will require you to review and provide feedback on the initial grouping results so the learned patterns can be refined. Note that if you use this approach, you would still configure an Alert Action Rule as mentioned above.
Hope this helps.
