An alert correlation policy is a mechanism for grouping similar alerts as an inference to reduce the load of processing multiple alerts.

Alert correlation is site-specific. Alerts from different sites need to be managed separately and so, are not correlated.

  • OpsQ View and OpsQ Manage permissions are required to access alert correlation policies.
  • Partner Administrator or Client Administrator roles are required to create an alert correlation policy.

The time gap between each adjacent alert is five minutes. Only those alerts taking place in a 5-minute interval are correlated.

If alerts are continuously generated for every five minutes, the overall time of a correlation can be much longer than five minutes. Take these example alert correlations:

  • A1: 10:00
  • A2: 10:04
  • A3: 10:07
  • A4: 10:14

A1, A2, A3 are correlated, as the gap between adjacent alerts is less than five minutes. A4 is excluded because the gap between A4 and A3 is more than five minutes. In this example, the overall correlation time is 7 minutes.

Create an alert correlation policy

  1. From All Clients, select a client.

  2. Go to Setup > Alerts > Alert Correlation and click Create New.

  3. From CREATE ALERT CORRELATION POLICY, enter a policy Name.

  4. Select the Client and Mode.

  5. In the Filter Criteria, toggle the Apply Filter Criteria button to ON.

  6. Choose ANY or ALL to specify rule-matching constraints.

  7. Select Native Attributes to filter resources based on pre-defined attributes.

  8. Select the rule conditions you want from the drop-down list, and enter the required values.

  9. Click the + symbol to add more rules.

  10. In the Policy Definition section, enter the Inference subject. You can use alerts and resource tokens to configure the inference subject. If a subject is not entered, the subject of the first alert is considered as the inference subject.

  11. Select Alert sequence recommended by the machine learning model or Within time window for how you want to correlate using time.

    • Alert sequence recommended by the machine learning model lets you upload a .CSV file to configure topology.
    • Within time window lets you select the time from the drop-down list.
  12. Optionally, click +Add Similarity Rule and select the attribute, and specify the matching condition from the drop-down list.

Edit an alert correlation policy

  1. Select a client from the All Clients list.
  2. Go to Setup > Alerts > Alert Correlation.
  3. From the ALERT CORRELATION POLICIES page, select the policy you want to edit.
  4. Click Edit and modify the policy details.
  5. Click Save.

Change an alert correlation policy state

  1. Select a client from the All Clients list.

  2. Go to Setup > Alert Management > Alert Correlation. Alert Correlation Policies list appears.

  3. From the Alert Correlation Policy page, select the mode from the Mode drop-down menu.

    The selected mode is displayed in the Mode column.

Delete an alert correlation policy

When you delete an alert correlation policy, the correlation of alerts getting newly ingested to the system and matching the deleted alert correlation policy does not happen. Alert correlation policies are deleted in the following situations:

  • The device/resource generating the alerts is unavailable.
  • You do not want to correlate the alerts.

To delete the alert correlation policy:

  1. Select a client from the All Clients list.

  2. Go to Setup > Alert Management > Alert Correlation.

  3. From ALERT CORRELATION POLICIES LIST, select the policy by its' name and click Delete.

  4. On the confirmation dialog, click Yes to delete.

    The selected alert correlation policy gets deleted.

Define correlation precedence

Precedence determines the order of execution for an alert correlation policy. For example, if VMware is part of an agent status alert correlation policy and a network outage alert correlation policy, you can determine which alert correlation policy should execute first to correlate VMware alerts.

  1. Select a client from the All Clients list.
  2. Go to Setup > Alerts > Alert Correlation.
  3. Drag and place the inference in the appropriate row to adjust the order. The number in the alert correlation policy Precedence column changes accordingly.

View alert sequences

Alert Sequence Clusters help you to visualize the detected alert sequences in your environment. You can view the alert sequences detected from the existing alert data and sequences related to an inference.

These sequences are unmodified alert sequences fetched from the existing alert data.

Similar alert sequences are grouped and enter a count for each sequence to help visualize the alert sequences and the number of times alerts are triggered in a sequence.

The alert sequence clusters window serves as a verification of ML correlation. For example, if ML correlates alerts _cpu.utilization_ and _system.ping_, you can use the Alert Sequence Clusters window to find the sequences that have both _cpu.utilization_ and _system.ping_.

View alert sequences detected from existing alert data

  1. Select a client from the All Clients list.
  2. Go to Setup > Alert Management > Alert Correlation.
  3. Click an ML-based alert correlation policy. You can easily identify an ML-based alert correlation policy. The ML Status against the policy contains status, such as Training Started or Ready.
  4. From the Policy Definition field, click Detected alert sequence patterns in alert data.
  1. From All Clients, select Alerts and click the required inference name.
  2. Click the Correlated Alerts tab.
  3. From the list of correlated alerts, click Show detected alert sequence patterns.

Detected Sequences of an Inference
Alert Sequence Clusters window appears.