Alert problem area policies extract normalized problem keys from alert content using regex rules. This helps downstream workflows (including correlation and analysis) classify alerts consistently, especially when raw metric text is too generic.
This is especially useful for log-style alerts where the metric is broad but the alert text contains the real failure signature.
Access and purpose
Use this policy when alert subjects or attributes contain useful identifiers that should be extracted into a consistent problem-area value.
Go to Setup > Account > Alert Policies. Select Alert Problem Area and click Create New or + Add.
Permissions typically required:
- OpsQ View to view policies.
- OpsQ Manage to create, edit, delete, and change state.
Policy states
Choose one state:
- Enabled: Policy is active and extraction rules are applied.
- Disabled: Policy is stored but not applied.
In this UI, only these two states are available for alert problem area policies.
General details
| Field | Description |
|---|---|
| Policy Name | Required. Use a clear extraction-focused name, for example Syslog Interface Problem Extractor. |
Policy filter
Use filters to target only the alerts this regex policy should process.
| Field | Description |
|---|---|
| Resource Filter | Optional selector to scope processing to selected resources or resource groups. Use the edit icon to open resource filter criteria. |
| Filter Criteria | Optional query builder. Click + Query to define one or more matching conditions. |
The resource filter criteria dialog uses a query builder with + Query and enables Apply only after query conditions are provided.
Use filters to avoid applying regex extraction to unrelated alert families.
Filtering recommendation:
- Start with metric/source filters first.
- Add finer conditions only when false matches appear.
Policy rules
The Policy Rules section defines regex-based extraction rows.
The form displays one inline rule row by default and supports row-level delete using the trash icon.
Each row has the following fields:
| Field | Description |
|---|---|
| Problem Area | Target property to populate. Example values include InterfaceDown, DiskPressure, and TunnelFailure. |
| Alert Attribute | Source alert field used for extraction. Choose the field that contains the text pattern to parse. |
| Regex and Capture Group | Regex pattern and capture-group logic used to extract values. The UI indicates a regex limit (shown as 1000) and provides a combined input format for regex and capture-group details. |
| + Add Rule | Add another extraction rule row for additional parsing scenarios. This action is enabled when the current row has valid input. |
| Delete Rule (trash icon) | Removes the current rule row. |
Example pattern concept:
- Input text:
Interface ge-0/0/1 is down on RouterA - Regex:
Interface ([^ ]+) is down - Captured value:
ge-0/0/1
Downstream policy impact
Extracted problem area values can influence:
- Alert correlation sequence quality.
- First response and escalation patterning.
- Alert analytics and triage consistency.
Lifecycle note:
- Problem area enrichment applies to new incoming alerts.
- Existing historical alerts are typically not retroactively enriched.
- It can take time for ML-driven features to reflect improved extraction patterns.
Save behavior
- Click Save to create the policy.
- Save remains disabled until required fields are complete.
Validation checklist
Before saving, confirm:
- Policy state is correct.
- Filters target the right alert families.
- Regex expressions are tested against representative alert samples.
- Capture groups return stable, meaningful problem-area values.