Setting Event Management Threshold

Looper23
Tera Contributor

‎04-04-2022 07:43 PM

I have a requirement where I need to not create an Alert for the same node if I get a Clear from it within 10 minutes. So for example I receive an Event for Node1 at 10:23:00 with Severity as Major. Then at 10:25:00, I receive another Event from Node1 with Severity as Clear. How do I set Threshold so it doesn't create an Alert but only creates it if the Event came in at 10:33:00 or after for the same Node.

Labels:
0 Helpfuls
  • 1,409 Views
7 REPLIES 7

Rahul Priyadars
Tera Sage
Tera Sage

‎04-04-2022 08:46 PM

10:23 - Event 1 (Major) --> Spin Alert A1

10:25 - Event 2 (Clear)--> Alert A1 will be Closed

So if your Monitoring Tool Send another Major event after 10:25 and before 10:33 - It will re-open the A1 and keep opening if another comes within next 10 minutes? Please confirm

And make a new one if nothing comes for A1 till 10:33 then spin a new Alert A2?

Please confirm the behavior .

You can set threshold with time and frequency which is OOTB in event rule.

You can achieve by setting re-open closed parameter to 10 Minutes in properties. So if anything happens within last 10 minutes it will re-open else it will create a new one.

find_real_file.png

 

Hope this helps.

Regards

RP

Preview file
15 KB

Looper23
Tera Contributor
In response to Rahul Priyadars

‎04-05-2022 07:06 AM

So right now, all we getting is two Events for one alert. We get Major/Warning and then few seconds or minutes later we get a Clear. What that does is create an Incident and then closes it right away. In order to mitigate that, what we want to do is this; once you receive an Event, for CPU/Memory saturation, wait 10 minutes before creating an alert. If you don't get a Clear within 10 minutes, then go ahead, create the Alert. If you do get Clear within 10 minutes, then never create an Alert. 

Let me know if that makes sense. Thanks! 

 

0 Helpfuls

Raj_Esh
Kilo Sage
Kilo Sage

‎04-04-2022 11:29 PM

Hi Looper,

 

Have you tried the Alert correlation rules? Looks as below:

 

find_real_file.png

 

Hope it helps.

 

Thanks,

Raj

--Raj
Preview file
56 KB
0 Helpfuls

Looper23
Tera Contributor
In response to Raj_Esh

‎04-05-2022 12:20 PM

Not sure if this will help with the issue since we want to NOT create an Alerts for the Events that have the same messageID but we created within 10 minutes of each other. Is there any other place I can edit that setting?  

0 Helpfuls