An alert correlation policy is a mechanism for grouping similar alerts as an inference to reduce the load of processing multiple alerts.

Alert correlation is site-specific. Alerts from different sites need to be managed separately so are not correlated.

  • OpsQ View and OpsQ Manage permissions are required to access alert correlation policies.
  • Partner Administrator or Client Administrator roles are required to create an alert correlation policy.

The time gap between each adjacent alert is 5 minutes. Only those alerts taking place in a 5-minute interval are correlated.

If alerts are continuously generated for every 5 minutes, the overall time of a correlation can be much longer than 5 minutes. Take these example alert correlations:

  • A1: 10:00
  • A2: 10:04
  • A3: 10:07
  • A4: 10:14

A1, A2, A3 are correlated, as the gap between adjacent alerts is less than 5 minutes. A4 is excluded because the gap between A4 and A3 is more than 5 minutes. In this example, the overall correlation time is 7 minutes.

Create an alert correlation policy

  1. From All Clients, select a client.

  2. Go to Setup > Alerts > Alert Correlation and click Create New.

  3. From CREATE ALERT CORRELATION POLICY, enter a policy Name.

  4. Select the Client and Mode.

  5. In the Filter Criteria, toggle the Apply Filter Criteria button to ON.

  6. Choose ANY or ALL to specify rule-matching constraints.

  7. Select Native Attributes to filter resources based on predefined attributes.

  8. Select the rule conditions you want from the drop-down list, entering values as needed.

  9. Click the + symbol to add more rules.

  10. In the Policy Definition section, enter the Inference subject. You can use alerts and resource tokens to configure the inference subject. If a subject is not entered, the subject of the first alert is the inference subject.

  11. Select Alert sequence recommended by the machine learning model or Within time window for how you want to correlate using time.

    • If you selected Alert sequence recommended by the machine learning model, you can upload a CSV file to configure topology.
    • If you selected the Within time window option, select the time from the drop-down list.
  12. Optionally, click +Add Similarity Rule and select the attribute, and specify the matching condition from the drop-down list.

Edit an alert correlation policy

  1. Select a client from the All Clients list.
  2. Go to Setup >Alerts > Alert Correlation. is displayed.
  3. From the ALERT CORRELATION POLICIES page, click the required alert correlation policy name.
  4. Click Edit and configure the policy details.
  5. Click Save.

Change an alert correlation policy state

  1. Select a client from the All Clients list.
  2. Go to Setup > Alert Management > Alert Correlation. The Alert Correlation Policy page is displayed with the list of all Alert Correlation Policies created.
  3. From the Alert Correlation Policy page, select the mode from Mode drop-down menu. The selected mode is displayed in the Mode column.

Delete an alert correlation policy

When deleted an alert correlation policy, the correlation of alerts getting newly ingested to the system and matching the deleted alert correlation policy does not happen. Alert Correlation Policies are deleted in the following situations:

  • The device/resource generating the alerts is unavailable.
  • You do not want to correlate the alerts.

To delete the alert correlation policy:

  1. Select a client from the All Clients list.
  2. Go to Setup > Alert Management > Alert Correlation.
  3. From ALERT CORRELATION POLICIES LIST, select the checkbox of policy name and click Delete.
  4. From the confirmation pop-up, click Yes to delete. The selected alert correlation policy gets deleted.

Define correlation precedence

Precedence determines the order of execution for an alert correlation policy. For example, if VMware is part of an agent status alert correlation policy and a network outage alert correlation policy, you can determine which alert correlation policy should execute first to correlate VMware alerts.

To determine the precedence:

  1. From the All Clients list, select a client.
  2. Go to Setup > Alerts > Alert Correlation.
  3. Drag and place the inference in the appropriate row to adjust the order. The number in the alert correlation policy Precedence column changes accordingly.

View alert sequences

The Alert Sequence Clusters window helps you to visualize the detected alert sequences in your environment. You can view the alert sequences detected from the existing alert data and sequences related to an inference.

These sequences are unmodified alert sequences fetched from the existing alert data. You can view the alert sequences detected from the existing alert data and sequences related to an inference.

Similar alert sequences are grouped and provide a count for each sequence to help visualize the alert sequences and the number of times alerts are triggered in a sequence.

The Alert sequence clusters window serves as a verification of ML correlation. For example, if ML correlates alerts cpu.utilization and system.ping, you can use the Alert Sequence Clusters window to find the sequences that have both cpu.utilization and system.ping.

View alert sequences detected from existing alert data

  1. Select a client from the All Clients list.
  2. Go to Setup > Alert Management > Alert Correlation.
  3. Click an ML-based alert correlation policy. You can easily identify an ML-based alert correlation policy. The ML Status against the policy contains a status, such as Training Started or Ready.
  4. From the Policy Definition field, click Detected alert sequence patterns in alert data.
  1. From All Clients, select Alerts and click the required inference name.
  2. Click the Correlated Alerts tab.
  3. From the list of correlated alerts, click Show detected alert sequence patterns.

Detected Sequences of an Inference

Detected Sequences of an Inference

Alert Sequence Clusters window appears.