How to combine events generated for same instance within next 2 hours

Community Alums · ‎03-07-2023

I want to link both the events to same alert if the node/instance is same for the events generated in last 2 hours.

How I can configure event rule for this definition?

Ryan Zulli · ‎03-13-2023

If the event has the same message_key we will always deduplicate to the same Alert - I would suggest escalating the alert using notifications or flow designer after 2hrs rather than creating a brand new alert for the same issue.

View solution in original post

Ryan Zulli · ‎03-13-2023

If the event has the same message_key we will always deduplicate to the same Alert - I would suggest escalating the alert using notifications or flow designer after 2hrs rather than creating a brand new alert for the same issue.

Community Alums · ‎03-14-2023

Hi Ryan,

Thank you for your suggestion but client wants to have new alert if time difference is more than 2 hours even if the events have same message key. Is there any way to configure this?

I saw one property evt_mgmt.update_alert_restricted_fields_elapsed_time (Minimum time in seconds before updating an alert for identical events). Can you please explain the significance of this property & if i can use the same?

Ryan Zulli · ‎03-14-2023

This defeats the purpose of reducing the noise, so we would not suggest this approach. That said - you could create a sub flow that watches for all alerts (wait timer) that are older than 2hrs and not acknowledged and then insert another Alert. We do not allow/recommend business rules on the em_event table - so you'd have to do this at the Alert level.

Sounds to me they are trying to fix process problem with technology - never a good idea.