I have a confusion about event rules and mapping rules creating alerts

DrewW · ‎03-29-2023

We have started using Event Management and its been a really long time for me and I'm getting the following and people are asking if it can be prevented and I cannot find anything that indicates I can change it.

We have an Event rule for solarwinds that should create an alert when a server is down. We then created a mapping rule to map the fields. The issue is that we keep seeing the following in the Processing Notes field.

No event rule applied
Mapping rule(s) applied: solarwinds-icon-severity

So an alert is being generated even when there is no rule that applies because there is a mapping rule. How do I prevent these alerts from being generated? If there is no event rule that applies I do not want an alert, even if the system thinks it should create one using the mapping rules.

Please and thanks....

Ryan Zulli · ‎05-22-2023

In this case, create a master event rule that ignores everything (set to a much lower priority) and then have your existing rules set higher (so they trigger first) - however just be aware you may "miss" events if you're not on top of keeping the event rules up to date.

View solution in original post

DrewW · ‎05-22-2023

Maybe I misunderstood something you were trying to tell me.

You are saying we need an event rule that applies to all sources that says to ignore the events that match that rule and make the order something like 1000000 so it runs dead last?

Ryan Zulli · ‎05-22-2023

correct - I will research if there is a way to disable the OOB Severity to Alert function, but I believed its baked into source code. So a work around is the ignore rule.

DrewW · ‎05-22-2023

Just to be clear the order needs to be a high value on the ignore everything rule, not lower, lower order rules go before higher order rules and you want a rule that basically tells the system to do nothing if none of the other rules applied to the event.

Ryan Zulli · ‎05-22-2023

yes you are correct - some customers will have a "catch-all" rule for each source as they onboard new sources, they'll ignore everything and let events in slowly as they can handle them. In your case similar - make sure the ignore event rule runs last in its group. (or if you have 1 ignore rule, let it run last out of everything)