How to set a rule that aggregates multiple alerts into a single incident

Mamina · ‎05-18-2020

Hi all,

I want to set a rule that aggregates multiple alerts into a single incident. I feel that the following settings are different from the correlation rules, but I would like to know the setting method.There are two rules I want to set,

rule1,
When 15 or more alerts are detected from 1 minute in one monitoring server (or MIDServer), they are all aggregated into one incident. In that case, the type of CI or alarm content does not matter.

rule2.
When 2 or more alarms are detected from the same CI in 4 minutes, they are aggregated into 1 incident. In that case, the content of the alarm does not matter.

If anyone knows, please let me know.

Best　Regards,
Mamina

Mamina · ‎05-26-2020

Hi RP,

Thank you for your reply. I want to set two rules.

The first is,
When "Initial event generation time" is less than 1 minute and "Sorce Incetance" has the same "15 or more" alarms, I want to generate them all.

The Second is,
Alerts generated from "the same Node" "for 4 minutes" are aggregated into one incident "regardless of content".

How should I set alert correlation rule or Alert management rule?I apologize for the inconvenience, but I would appreciate it if you could answer.

Regards,

Mamina