Alerts are correlated based on patterns specified in alert policies to create an inference with a unique ID. You can view the inference details from the Alerts page.
Go to Command Center > Alerts.
Inferences are indicated with a blue icon next to the alert subject:
The subject also includes a count of correlated alerts for the inference:
Click the ID of the inference to view the details.
The details page has the following tabs for viewing inference details:
- Alerts History
- Correlated Alerts
View processed inferences
To view the number of inferences associated with a policy:
Go to Setup > Alerts > Alert Correlation and select the required policy.
Select a client from the Select Client list.
Click the number in the Processed Inferences column to view the details of the inferences.
The list of processed inferences is displayed on the Alerts page.
Remove alerts from an inference
You can remove alerts from an inference. For example, if you do not want an alert to be correlated, you can remove an alert from the inference. The removed alert then is displayed on the alerts browser as an individual alert.
If an inference has two correlated alerts, removing one correlated alert makes both alerts individual alerts.
Alerts can be removed from an inference on the list of Correlated Alerts from the Alerts window, or on the Correlated Alerts tab of the alert Details page.
Go to Command Center > Alerts.
On the Alerts page, click the number adjacent to the inference subject.
Select the required alert and click Remove.
Click Yes to the confirmation message.
The alert is removed from the inference. A comment is added to the Details tab of the inference.
Make alert as RCA from an inference
If we have numerous alerts under inference and need to choose one crucial alert as the primary alert from the list and perform a root cause analysis for this inference, we use the term RCA (Root Cause Alert). This will help you in identifying the critical or warning alerts from a list of several alerts and take appropriate action.
Users can only select one alert from the list to be tagged as an RCA, and once you’ve done so, the inference subject line changes as well. You also have the option of modify the subject of the chosen alert that you chose as RCA. This is only supporting for correlated alerts type.
To make the correlated alert as RCA from inference, follow the steps below:
- Go to Command Center > Alerts.
- On the Alerts page, click the number adjacent to the inference subject.
- Select the required alert which you want to make RCA and then click on RCA.
- Click the Submit button. Update the subject line from here if you wish to change it.
- From the inference, the alert is submitted as RCA. The RCA alerts can be seen in a list with a warning icon for an easy identification.
Create an inference stats widget to view inference statistics
The Inference Stats widget displays the statistics of inferences generated within a partner/client.
The widget displays the following information:
|Total Events||Total events generated.|
|Total Alerts||Total alerts created after ingestion.|
|Total Inferences||Total inferences generated.|
|Total Correlated Alerts||Total alerts correlated.|
|Volume Optimized||Percentage of reduction in alerts volume due to alert correlation.|
Go to Dashboards > Classic Dashboard.
Ensure you have the correct client selected.
Click Add Widget.
Click Continue to edit the dashboard.
From the OTHER PREDEFINED WIDGET section, click Inference Stats.
Configure the following parameters:
Parameter Description Time Range Select the filter for inferences triggered within a certain time span. Refresh every Select the frequency for refreshing the statistics in the widget. Inference Stats The inference stats will include Enabled policies only. Widget Title Enter a title for the widget on the dashboard. Chart Style There is only one chart style available for the inference stats widget.
Click Save. Inference Stats widget is created and is displayed on the Dashboard.The total number of inferences and the total number of correlated alerts created from the enabled correlation policies appear in the widget. The volume optimization is based on inferences and correlated alerts created from the enabled correlation policies.