Incident creation based on alert aggregation groups

Sai Subrahmanya · ‎06-05-2020

Hello Everyone,

Recently while I was working on Alert/Incident storm reduction problem, I came across this Alert aggregation and RCA groups. I have implemented this currently. But there is a issue that I'm currently facing, while using alert aggregation grouping Snow is creating different alerts under Automation and CMDB Group names. Now when I see these groups the incidents are being generated for Secondary alerts instead of Primary or Automation or CMDB type, this is only reducing noise in alerts but not helping incidents. My main goal is to reduce the storm of incidents, Can anyone help me with Making Primary or Automation or CMDB group type Alert generate incident and make Secondary alerts not to generate any incidents. Which means just one incident per group.

Thanks in advance,

J. Sai Subrahmanyam

Ashutosh Munot1 · ‎06-06-2020

Hi,

There is already and flow and management rule which will create alert only for primary and not for secondary.:

Name:"Create Incident for Primary Alert"

There is one more event management rule for all alerts called as "Create Incident" Which will be active in your case. So you need to deactivate that and active first one.

Thanks,
Ashutosh

View solution in original post

christianmalone · ‎06-05-2020

You should update or duplicate your create incident flow and modify it to filter out secondary alerts

Ashutosh Munot1 · ‎06-06-2020

Hi,

There is already and flow and management rule which will create alert only for primary and not for secondary.:

Name:"Create Incident for Primary Alert"

There is one more event management rule for all alerts called as "Create Incident" Which will be active in your case. So you need to deactivate that and active first one.

Thanks,
Ashutosh

Ashutosh Munot1 · ‎06-07-2020

HI,

If solved then close this thread so others can use it.

Thanks,
Ashutosh

Sai Subrahmanya · ‎06-07-2020

Thank you @Ashutosh Munot and @christianmalone , I have tried using Create Incident for Primary Alert from Alert Management rule. Now I can see incidents for Primary incidents but, still I can see the incidents being created for Secondary alerts under the Automated and CMDB group. Is there a way that I can suppress these incidents for secondary alerts.