Documentation is now available for the Fall 2020 Update release!

Alert First Response Overview

Provides information about the definitions of policy modes as well as the usage of various settings.

Leave Feedback

Introduction

An alert correlation policy defines user settings (described below) that OpsRamp applies in taking first response actions on alerts.

Policy modes

The following policy modes are supported:

  • Off
  • Observed
  • Recommend
  • On

Off

In this mode, the policy is inactive and has no effect on your alerts. You can use this mode to review a newly defined policy, before changing into one of the other modes.

Observed

This mode allows you to simulate the effect of a policy, without impacting your alerts.

In this mode, the policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would have been taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.

Recommend

In this mode, the policy creates a recommendation for actions that you should take on the alert. Recommendations are based on OpsRamp’s learning from historical alerts. The recommendation includes a link to take the action.

On

In this mode, the policy takes automated actions on your alerts.

Filter criteria setting

This setting helps select alerts to which the policy applies.

Alert Pattern Actions

Suppress seasonal alerts setting

With this setting, the system suppresses alerts that occur regularly, at around the same time. For example, a high CPU utilization alert that occurs nightly at around 1:00 AM due to a scheduled backup job on a server that usually goes back to the OK state, by 1:30 AM.

Alert Attribute Actions

Suppress alerts

With this setting, you can create suppression conditions to suppress alerts that have certain alert attributes.

User-defined configuration

The following are the user-defined suppression conditions. These suppression conditions are applicable to the alerts filtered using the Native and Custom attributes in Filter Criteria.

  • Do not suppress: Refers to never suppressing an alert.
  • Suppress Always: Refers to suppressing an alert every time it occurs.
  • Suppress for a specific duration: Refers to suppressing an alert for a specific duration. After the duration is over, the system un-suppresses the alert.

Learned configuration

Train the system to suppress alerts using a training file or through continuous learning of the historical data (machine-learning).

Continuous Learning

Train the system to learn the alert patterns from historical data and suppress accordingly. The continuous learning option instructs the system to continuously update its learning models, from recent data.

Training file

Train the system to detect and suppress alerts with specific characteristics added to a training file.

Run processes

With this setting, a process definition runs on alerts that are expected. For example, assigning an alert as a user task to an assignee.

User-defined configuration

Add the required process definition ID(s) to the policy.

Learned Configuration

Train the system to run process definitions for specific alerts.

Continuous Learning

The system can learn and run process definitions on specific alerts by analyzing the historical data.

Training file

In addition to continuous learning, train the system to run specific process definitions on known alerts. The training data can be provided using a training file. Specify the list of processes to run for certain types of alerts. In the runtime, the corresponding processes are invoked using the alert as the input.

Key Considerations

  • If the data is not accurate in the training file, the system uses the learned historical data (Continuous Learning).
  • If the alert is suppressed, the run process is not applied. The run process is applied later only when the alert is unsuppressed.
  • Higher priority is given to a policy that is in Enabled mode and contains the user-defined conditions.
    An action can have one or more policies. The priority rule is applied only when one action qualifies for multiple policies. For multiple policies, during the run time, the system initially checks the policy mode and gives higher priority to the policy having the ON mode. If the policy contains user-defined conditions (Suppress for a specific duration), then the alert is suppressed accordingly.
  • The system provides the following order of priority for the execution of a policy:
    • Policy modes: ON —-> Recommend —-> Observed
    • First response conditions: User-defined setting —-> Training file —-> Machine-learning

What to do next