An alert escalation policy defines user settings that OpsRamp applies in escalating alerts.

After an alert is correlated, OpsRamp provides options to notify users about the alert and automatically create incident tickets. The goal of alert escalation is to notify users of critical alerts so that the alert is acknowledged by a user.

Escalation is useful if you follow an on-call process for alert response. In an on-call process, your IT staff does not watch a console for alerts. Instead, automated notifications are sent to designated staff on pre-defined shifts.

With escalation features, you can notify users using email, text, and voice messages, based on the following criteria:

  • User and alert type: Notify specific users based on the type of alert. For example, notify database administrators of alerts from database servers.
  • Shift schedule: Notify specific users based on when they are available. For example, notify the IT staff on the day shift, of alerts that arrive between 8:00 AM - 5:00 PM, and notify IT staff on the evening shift, of alerts that arrive between 5:00 PM - 2:00 AM.
  • Chain of responsibility: Notify users up a chain of responsibility, if alerts remain unacknowledged after notification. For example, notify shift managers of unacknowledged alerts of alerts that remain unacknowledged 30 minutes after first notification was sent to level 1 staff.
Alert Escalation

Policy modes

The following policy modes are supported:

Policy ModeDescription
ONThe policy drives automated actions on alerts.
OFFThe policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
RecommendThe policy creates a recommendation for actions that you should take on the alert. Recommendations are based on OpsRamp learning from historical alerts. The recommendation includes a link to take the action.
ObservedThis mode permits you to simulate a policy without affecting alerts.
The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would have been taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
Recommend and Observed modes apply to incident actions.

User scope setting

This setting selects whether alerts are escalated to users within your organization’s account (partner) or users within a client account.

Resource scope setting

This setting selects resources for which alerts are escalated.

Define alert and resource conditions

You define the alert and resource conditions for the escalation policy. While most of the available properties are simple, Alert: Occurrence Frequency and Alert: No of Occurrence need an explanation.

Alert: Occurrence Frequency

For the configuration shown below, when an alert is created and resolved for the second time and onward in an eight-hour period, if the alert meets the criteria, the escalation policy is executed.

Alert: Occurrence Frequency

Alert: No of Occurrence

For the configuration shown below, when an alert is created and appended for the third if the alert meets the criteria, the escalation policy is executed.

Alert: No of Occurrence

Action setting

The action setting selects the following:

  • Whether the policy takes automated escalation actions or just shows which users should be contacted directly.
  • How long to wait before sending a notification or creating an incident.
  • Alert state transitions at which notifications are sent.
  • What priority is assigned to a notification.
  • At what frequency notifications are repeated.
  • When notification should stop.
  • To which users notifications are sent or to which users incidents are assigned.
  • Attributes and content of an auto-created incident. You can specify incident attributes or let OpsRamp automatically set attributes based on learning from historical alerts.
  • Whether to update an incident upon changes to the alert’s state.

Alert tokens

An alert token is a placeholder added to an alert that is escalated as an incident so that the incident includes the data the token represents. For example, if $alert.serviceName (Alert metric) is added to an incident after the alert is escalated as an incident, the incident includes the alert metric name.

Tokens are divided into three categories:

  • Alert: Alert category is divided into Alert specific tokens and Alert’s Resource tokens
  • Policy: Policy category consists of the Policy name token.
  • Functions: Functions category consists of the Substring token.

A substring is a string between a pointer for reference start character and reference end character. A reference pointer is a delimiter. The substring function token allows you to create a dynamic description for an incident. A delimiter is used to specify boundaries for identifying the appropriate string in a data stream. The startDelimiter indicates the beginning element in a character string, and the endDelimiter indicates the end element in a character string.

For example, a user wants to extract the Site Account from the Alert Description and set the account number to the Account Id of the Incident record.

To extract the Account ID from the Alert Description, use the substring ($function.substring(<String>,<startDelimiter>,<endDelimiter>) ) function, and enter the following values:

  • String = $alert.description
  • startDelimiter = AT SITE ACCOUNT NO=
  • endDelimiter does not need to be configured to indicate a natural end delimiter

($function.substring($alert.description,AT SITE ACCOUNT NO=,<endDelimiter>)

Example of configuring a substring

Next step

See Create Alert Escalation Policy.