Documentation is now available for the Fall 2020 Update release!

Alert Correlation Overview

Provides information about the definitions of policy modes, usage of various settings, and information about sequences.

Leave Feedback

Introduction

An alert correlation policy defines user settings (described below) that OpsRamp applies in correlating alerts.

Policy modes

The following policy modes are supported:

  • Off
  • Observed
  • Recommend
  • On

Off

In this mode, the policy is inactive and has no effect on your alerts. You can use this mode to review a newly defined policy, before changing into one of the other modes.

Observed

This mode allows you to simulate the effect of a policy, without impacting your alerts. The policy creates an observed inference, which simulates an inference that would have been created by the policy, if it were in On mode. The observed inference includes links to alerts that would been correlated into it.

On

In this mode, the policy takes automated actions on your alerts.

Filter criteria setting

This setting selects alerts to which the policy applies. This is for exceptional situations, where you have known alerts that must not be correlated with other alerts.

Inference subject setting

This is an optional setting. By default, an inference assumes the same subject as alert with the earliest created date within the inference. You can specific a given subject to override this default.

Learned sequences

OpsRamp’s core correlation algorithm correlates alerts that occur together often, at around the same time. OpsRamp can learn such common alert sequences based on historical data.

The continuous learning option instructs OpsRamp to continuously update its learning models, from recent data.

Trained sequences

In addition to continuous learning, you can also train OpsRamp to correlate known alert sequences that you specify. You can provide these known sequences through the advanced option.

Time-based sequences

OpsRamp can also correlate alerts that simply occur together in the same time window. For example, correlate all alerts that occur within 5 minutes of each other. You can specify this time window with the within time window setting.

Learning reinforcement

OpsRamp applies additional criteria in making correlation decisions on learned, trained, and time-based sequences.

Topological relationships

Alerts that occur at around the same time, and are from resources that are connected, are usually related to the same underlying cause. For example, a switch that fails will also cause a cascade of alerts on downstream servers and applications.

In deciding whether to correlate a sequence of alerts into an inference, OpsRamp applies a higher weight to sequences in which the associated resources are topologically related.

Attribute similarity

Alerts can be related to the same underlying cause if they:

  • Occur at around the same time.
  • Have attributes that are identical or similar.

For example, alerts due to an application failure, may generate multiple alerts that have a similar subject.

OpsRamp can incorporate attribute similarity criteria in correlating sequences. You specify different similarity criteria with the alert similarity setting.

What to do next