Rahul -- how do these event rule thresholds work with singleton events?  SolarWinds creates "edge" events -- which means you get one event every time an object changes state.  I think the threshold settings are designed to handle repetitive events, although there are special use cases for singleton events that are dandy -- such as auto clearing "milepost" events like "cold start" and so forth.

Unless there are have been recent developments in ITOM, I don't think the event rule thresholds are the only way to delay alert creation -- and then only "x in y" situations with x > 1.  Jason might say otherwise.

Another challenge is that your are cautioned against altering the alert record format, otherwise you might be able to add a "visibility" flag to your alerts and construct something that might look like this:

1. Write your event rule to set the visibility flag to "hidden" when the event arrives.  The alert will still get created, but the alert will be hidden from the user.

2. Write an alert management rule to match these hidden alerts, and have that rule kick off a Flow Designer remediation.

3. In Flow Designer, wait for 5 minutes.  Then check the alert to see if it is still open.  If so, change the value of the visibility flag so that operators can see the alert and end the flow.

Any unused field in the alert record can be your visibility flag -- just consider whether it is available across all of your event types before you commit to it.

This is just an idea.  In our shop, we use a similar-but-different technique to decide whether or not to create an incident for a new alert -- we give the alert 10 minutes to close itself before we start waking people up...

Good Luck!

Greg Hubbard