Learning-based alert escalation is a method that automatically routes incidents to appropriate groups, priority, or category. The model requires a training file (in CSV format) that includes example incident assignments for different types of alerts.

Machine-learning is applied to learn patterns from the input training file and uses the learned pattern to drive learning-based alert escalation. The learned models are applied against the incoming alerts.

Configuring alert escalation is a manual configuration that requires incident information like incident assignee name, category, and priority as required fields.

Prerequisites

Before defining rules to escalate alerts as an incident, configure the name, scope, and resources for the alert escalation policy.

Step 1: Define name and scope

In this step, define the name, mode, and partner or client for the escalation policy.

  1. Ensure the partner you want to create an alert escalation policy is selected in the Partner list (upper-left corner).

  2. Go to Setup > Alerts > Alert Escalation.

  3. Click Create New or + Add, depending on whether you have any existing policies.

  4. Enter the Alert Escalation Name and Description.

  5. From the Mode list, select a policy mode.

    Policy ModeDescription
    ONThe policy drives automated actions on alerts.
    OFFThe policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
    RecommendThe policy creates a recommendation for actions that you should take on the alert. Recommendations are based on OpsRamp learning from historical alerts. The recommendation includes a link to take the action.
    ObservedThis mode permits you to simulate a policy without affecting alerts.
    The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would have been taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
    Recommend and Observed modes apply to incident actions.
  6. Select a client from the Select a Client list.

    If you are creating a learning-based escalation policy you must select a client because learning-based escalation policies are client-based policies.

  7. Click Next: Select Resources.

Step 2: Select Resources

In this step, select resources for the client.

  1. Select resources for the escalation policy.

    Add up to 100 resources.

  2. Click Next: Define Alert and Resource Conditions.

Step 3: Define alert and resource conditions

Filter the type of alerts which occur on the selected resources. If no conditions are defined in this section, all alerts on the selected resources will match this policy.

  1. Choose from Any or All of the following conditions to apply a filter for the alerts.

  2. Select Native Attributes or Custom Attributes depending on your requirement.

    Native Attributes are the predefined attributes and Custom Attributes are user-defined attributes. 1 Select the required attribute, logical operator, and enter the value. Click + to add multiple filter conditions.

  3. Click Next: Define Escalation Rules.

The alert property Client: Service Name is applicable only to the partner scope policy. As an example, to escalate alerts of a service named Windows Maintenance Support, add the condition Client: Service Name:

Define Alert and Resource Conditions

Step 4: Define escalation rules

In this step, the escalation rules define the escalation as an incident.

  1. Select one of the following options:
    • Escalate alert automatically until Acknowledged, Closed, Suppressed, or Ticketed
    • Escalate alert automatically until Acknowledged, Closed, or Suppressed
  2. In the Escalate as list, select Incident.
  3. Enable Continuous Learning with the toggle for machine learning to continuously learn patterns from alert data.
    • If continuous learning is enabled, machine learning models are continuously retrained on a weekly basis and are based on recent alert data (past three-month alert data).
    • The continuous learning complements user-provided training data, using training files. Patterns learned from user-provided training data and continuous learning are both incorporated into auto incident creation actions.
    • In the combined data set (recent alert data and user-provided training data), the user-provided training data is considered first followed by recent alert data.
  4. Specify the options For New Incident:
    For New Incident
    • Select Modify to modify the incident Subject or Description.
    • Enable machine-learning for attributes with the Learned configuration toggle to learn patterns from the training file. Machine-Learning can be applied to the following attributes:
      • Assignee Group
      • Category
      • Sub-Category
      • Priority
      • Cc
  5. Specify the options For Created Incident:
    For Created Incident
    • Enable Update Incident with the toggle to update the incident as the alert changes.
    • Select one of the following options:
      • Update incident with the latest alert description when alert state changes
      • Resolve incident when alert heals
    • Select Update incident priority based on these rules and define the rule.
    • Configue the notifications
  6. Click Import a Dataset and Train Model.

Step 5: Import datasets and apply a training model

Upload a training file. Only one training file can be uploaded per client.

See Alert Management Training File for more information.

  • You can also create multiple alert escalation policies by filtering specific alert and resource attributes in the Resources and Alert Condition tabs, but the machine-learning model is just one that simplifies the alert escalation configuration.
  • Changing the training file affects all learned policies of the client.
  • If a change is made on the training file, a user must delete the existing file and re-upload it in OpsRamp.
  • Alerts that are already escalated are NOT impacted by the changes.

To import the dataset and apply the training model:

  1. Click Drop the training data file here or browse to upload the training file.
  2. Select the file from your local folder. On uploading the file to OpsRamp, click Manage Data and Train Model.
  3. Select the Input and Output Columns for Model training.
    • Input columns are the columns specified in the training file.
    • Output columns are the learned configurations on which machine learning is enabled.
  4. Click Continue to Model Training. The accuracy of the trained alert escalation model is displayed in the Summary section.
  5. Click Train Model.
  6. Click Review.

Step 6: Review

Review and save the alert escalation policy.

  1. Click Review. A summary of all sections of the escalate alert policy is available for review and editing.
  2. Click Edit to edit any sections.
  3. Click Save.

View alert escalation policies

The alert escalation policy is created and is displayed on the Alert Escalation Policies page. ML indicates that policy is based on a machine-learning algorithm rather than a user-defined model.

  • If the ML icon is blue: Accuracy of trained alert escalation model is above 80% and the policy is used for alert escalation.
  • If the ML icon is red: Accuracy of trained alert escalation model is below 80%.
  • If the accuracy is below 80%, the policy is temporarily disabled until the accuracy of the model moves above 80% after the next training.
  • If a modal accuracy is low, OpsRamp creates an Incident using the default values mentioned in the escalation policy. For example, in a certain alert escalation policy, the default value provided for the field Priority is High and Continuous Learning is also enabled for the policy.
  • If the accuracy of the trained model is low, OpsRamp considers the default value for creating an Incident. In the above example, the value for Priority is considered High.