An alert correlation policy defines user settings (described below) that OpsRamp applies in correlating alerts.
The following policy modes are supported:
In this mode, the policy is inactive and has no effect on your alerts. You can use this mode to review a newly defined policy, before changing into one of the other modes.
This mode allows you to simulate the effect of a policy, without impacting your alerts. The policy creates an observed inference, which simulates an inference that would have been created by the policy, if it were in On mode. The observed inference includes links to alerts that would been correlated into it.
In this mode, the policy takes automated actions on your alerts.
Filter criteria setting
This setting selects alerts to which the policy applies. This is for exceptional situations, where you have known alerts that must not be correlated with other alerts.
Inference subject setting
This is an optional setting. By default, an inference assumes the same subject as alert with the earliest created date within the inference. You can specific a given subject to override this default.
OpsRamp’s core correlation algorithm correlates alerts that occur together often, at around the same time. OpsRamp can learn such common alert sequences based on historical data.
The continuous learning option instructs OpsRamp to continuously update its learning models, from recent data.
In addition to continuous learning, you can also train OpsRamp to correlate known alert sequences that you specify. You can provide these known sequences through the advanced option.
NoteYou can provide training data using a training file.
OpsRamp can also correlate alerts that simply occur together in the same time window.
For example, correlate all alerts that occur within 5 minutes of each other.
You can specify this time window with the
within time window setting.
OpsRamp applies additional criteria in making correlation decisions on learned, trained, and time-based sequences.
Alerts that occur at around the same time, and are from resources that are connected, are usually related to the same underlying cause. For example, a switch that fails will also cause a cascade of alerts on downstream servers and applications.
In deciding whether to correlate a sequence of alerts into an inference, OpsRamp applies a higher weight to sequences in which the associated resources are topologically related.
Alerts can be related to the same underlying cause if they:
- Occur at around the same time.
- Have attributes that are identical or similar.
For example, alerts due to an application failure, may generate multiple alerts that have a similar subject.
OpsRamp can incorporate attribute similarity criteria in correlating sequences.
You specify different similarity criteria with the
alert similarity setting.