Alert Correlation OverviewProvides information about the definitions of policy modes, usage of various settings, and information about sequences.Leave FeedbackIntroductionAn alert correlation policy defines user settings (described below) that OpsRamp applies in correlating alerts.Policy modesThe following policy modes are supported:OffObservedRecommendOnOffIn this mode, the policy is inactive and has no effect on your alerts. You can use this mode to review a newly defined policy, before changing into one of the other modes.ObservedThis mode allows you to simulate the effect of a policy, without impacting your alerts. The policy creates an observed inference, which simulates an inference that would have been created by the policy, if it were in On mode. The observed inference includes links to alerts that would been correlated into it.OnIn this mode, the policy takes automated actions on your alerts.Filter criteria settingThis setting selects alerts to which the policy applies. This is for exceptional situations, where you have known alerts that must not be correlated with other alerts.Inference subject settingThis is an optional setting. By default, an inference assumes the same subject as alert with the earliest created date within the inference. You can specific a given subject to override this default.Learned sequencesOpsRamp’s core correlation algorithm correlates alerts that occur together often, at around the same time. OpsRamp can learn such common alert sequences based on historical data.The continuous learning option instructs OpsRamp to continuously update its learning models, from recent data.Trained sequencesIn addition to continuous learning, you can also train OpsRamp to correlate known alert sequences that you specify. You can provide these known sequences through the advanced option.NoteYou can provide training data using a training file.Time-based sequencesOpsRamp can also correlate alerts that simply occur together in the same time window. For example, correlate all alerts that occur within 5 minutes of each other. You can specify this time window with the within time window setting.Learning reinforcementOpsRamp applies additional criteria in making correlation decisions on learned, trained, and time-based sequences.Topological relationshipsAlerts that occur at around the same time, and are from resources that are connected, are usually related to the same underlying cause. For example, a switch that fails will also cause a cascade of alerts on downstream servers and applications.In deciding whether to correlate a sequence of alerts into an inference, OpsRamp applies a higher weight to sequences in which the associated resources are topologically related.Attribute similarityAlerts can be related to the same underlying cause if they:Occur at around the same time.Have attributes that are identical or similar.For example, alerts due to an application failure, may generate multiple alerts that have a similar subject.OpsRamp can incorporate attribute similarity criteria in correlating sequences. You specify different similarity criteria with the alert similarity setting.What to do nextReview Event Management in the Concept Guide as background on this topic.Review Training File for information on using the training file.