Introduction
An alert correlation policy defines user settings (described below) that OpsRamp applies in taking first response actions on alerts.
Policy modes
The following policy modes are supported:
- Off
- Observed
- Recommend
- On
Off
In this mode, the policy is inactive and has no effect on your alerts. You can use this mode to review a newly defined policy, before changing into one of the other modes.
Observed
This mode allows you to simulate the effect of a policy, without impacting your alerts.
In this mode, the policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would have been taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
Recommend
In this mode, the policy creates a recommendation for actions that you should take on the alert. Recommendations are based on OpsRamp learning from historical alerts. The recommendation includes a link to take the action.
On
In this mode, the policy takes automated actions on your alerts.
Filter criteria setting
This setting helps select alerts to which the policy applies.
Alert Pattern Actions
Suppress seasonal alerts setting
With this setting, the system suppresses alerts that occur regularly, at around the same time. For example, a high CPU utilization alert that occurs nightly at around 1:00 AM due to a scheduled backup job on a server that usually goes back to the OK state, by 1:30 AM.
Alert Attribute Actions
Suppress alerts
With this setting, you can create suppression conditions to suppress alerts that have certain alert attributes.
User-defined configuration
The following are the user-defined suppression conditions. These suppression conditions are applicable to the alerts filtered using the Native and Custom attributes in Filter Criteria.
- Do not suppress: Refers to never suppressing an alert.
- Suppress Always: Refers to suppressing an alert every time it occurs.
- Suppress for a specific duration: Refers to suppressing an alert for a specific duration. After the duration is over, the system un-suppresses the alert.
Learned configuration
Train the system to suppress alerts using a training file or through continuous learning of the historical data (machine-learning).
Continuous Learning
Train the system to learn the alert patterns from historical data and suppress accordingly. The continuous learning option instructs the system to continuously update its learning models, from recent data.
Training file
Train the system to detect and suppress alerts with specific characteristics added to a training file.
Run processes
With this setting, a process definition runs on alerts that are expected. For example, assigning an alert as a user task to an assignee.
User-defined configuration
Add the required process definition ID(s) to the policy.
Learned Configuration
Train the system to run process definitions for specific alerts.
Continuous Learning
The system can learn and run process definitions on specific alerts by analyzing the historical data.
Note
The continuous learning option instructs the system to continuously update its learning models, from recent data.Training file
In addition to continuous learning, train the system to run specific process definitions on known alerts. The training data can be provided using a training file. Specify the list of processes to run for certain types of alerts. In the runtime, the corresponding processes are invoked using the alert as the input.
Key Considerations
- If the data is not accurate in the training file, the system uses the learned historical data (Continuous Learning).
- If the alert is suppressed, the run process is not applied. The run process is applied later only when the alert is unsuppressed.
- Higher priority is given to a policy that is in Enabled mode and contains the user-defined conditions.
An action can have one or more policies. The priority rule is applied only when one action qualifies for multiple policies. For multiple policies, during the run time, the system initially checks the policy mode and gives higher priority to the policy having the ON mode. If the policy contains user-defined conditions (Suppress for a specific duration), then the alert is suppressed accordingly. - The system provides the following order of priority for the execution of a policy:
- Policy modes: ON —-> Recommend —-> Observed
- First response conditions: User-defined setting —-> Training file —-> Machine-learning
What to do next
- Review Event Management in the Concept Guide as background on this topic.
- Review Training File.
- See Managing First Response Policy.