What relationships to a Business/Application Service will cause an Alert on a CI to change the status of the Business/Applicaiton Service?

DuaneNMore · ‎02-14-2019

We use Microsoft Systems Center Operations Manager to monitor the availability of some applications by running a synthetic transaction against a URL, and then if it doesn't meet some threshold or behavior regarding response, we send an event to SN where the URL is the thing that is busted. We have an event rule which will bind the CI to the cmdb_ci_endpoint_http which is an entry point for a Application Service that has been mapped. The event marches through, becomes an Alert and then an Incident.

Currently we have a support group associated with the endpoint so that the incident goes to the proper team. But the issue here is that now we have an outage or failure represented by this incident, yet the status in the Event Management Dashboard for the associated business service is ALL GREEN.

Clearly it is not using svc_ci_assoc to derive this. DOes it have to exist in the Impact Graph (em_impact_graph) for the Application Service in order for the alert to affect the Application Service status?

robertgeen · ‎02-14-2019

As far as I know it uses svc_ci_assoc table to populate the em_impact_status and em_impact_graph as well as some of the other layers. I suspect what is happening here though is that those entry points are taken as a special type. Do a quick test can you generate an alert that ties to the server that is on that endpoint? If it's in your service map it should match but my guess is because they use svc_ci_assoc table and other table to link the endpoints to the infrastructure that is impacted that they don't look at it as an actual impact on the business service.

DuaneNMore · ‎02-18-2019

I generated an event which bound to the http endpoint associated with the Business Service. The alert map did not update. The scv_ci_assoc entry exists relating the endpoint to the Application Service. Generating an alert for the server that the Endpoint is on doesn't work when you are using load balancing. I tried adding a relationship to em_impact_graph, but it got culled from that very quickly.

Problem here is that with a complex business service; we may receive an alert from the Application Monitoring system that some URL being monitored which indicates some absolute failure (i.e. no response received) or some performance threshold failure (response recieved but not in the desired time frame. When we receive that alert there is something going on with the application but we may not be recieving an infrastructure alert yet either due to polling period; or possibly it is some application failure which doesn't show up in monitoring.

robertgeen · ‎02-18-2019

DuaneNMore,

So typically application performance monitoring I always try to tie it back to an effected services instead of an endpoint. Now one thing you could do in this case is that in the postbind create/update scripts you could query the svc_ci_assoc table and find out what that endpoint supports and then override the CI to the manual service. This should cause the impact to show on the service map. I hope this helps.

Balaji14 · ‎02-19-2019

From my understanding, the service maps shows CI's on which the application is hosted and running its services. The endpoint of it would be simple relationship depiction from one CI to another. So if am not wrong, binding the alert to an endpoint will still keep the map and the dashboard green.

If the Binding is done to the CI directly then the dashboard would show some changes accordingly, since the CI is available as a component on the map, rather than a endpoint relationship depiction.

If multiple monitoring tools are integrated you can make use of alert correlation rule, to rule out the unnecessary ones and keep the primary alerts to be showcased on the map.