An alert correlation policy is a mechanism for grouping similar alerts as an inference to reduce the load of processing multiple alerts.

Alert correlation is site-specific. Alerts from different sites need to be managed separately and so, are not correlated.

  • OpsQ View and OpsQ Manage permissions are required to access alert correlation policies.
  • Partner Administrator or Client Administrator roles are required to create an alert correlation policy.

The time gap between each adjacent alert is five minutes. Only those alerts taking place in a 5-minute interval are correlated.

If alerts are continuously generated every five minutes, the overall time of a correlation can be much longer than five minutes. Take these example alert correlations:

  • A1: 10:00
  • A2: 10:04
  • A3: 10:07
  • A4: 10:14

A1, A2, A3 are correlated, as the gap between adjacent alerts is less than five minutes. A4 is excluded because the gap between A4 and A3 is more than five minutes. In this example, the overall correlation time is 7 minutes.

Create an alert correlation policy

  1. Go to Setup > Alerts > Alert Correlation.

  2. If this is a partner-level policy, do not select a client.

  3. If this is a client-level policy, select a client in the Select Client list.

  4. Click Create New or + Add, depending on whether you have any existing policies.

  5. On the Alert Correlation Policy page, enter a policy Name.

  6. Ensure you have the correct Policy Scope selected.

  7. Ensure you have the correct Client selected for a client-level policy or select Include All Clients or Include Clients for a partner-level policy.

    If you selected Include Clients, click Add Clients to add clients to the partner-level policy.

  8. In the Mode list, select a policy mode.

    Policy ModeDescription
    ONThe policy drives automated actions on alerts.
    OFFThe policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes.
    RecommendThe policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action.
    ObservedThis mode permits you to simulate a policy without affecting alerts.
    The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in On mode. The observed alert includes a link to the original alert.
    Recommend and Observed modes apply to incident actions.
  9. In the Filter Criteria, toggle the Apply Filter Criteria button to ON.

  10. Choose ANY or ALL to specify rule-matching constraints.

  11. Select Native Attributes to filter resources based on pre-defined attributes.

  12. Select the rule conditions you want from the list, and enter the required values.

    Not Contains: Filters only the alerts that do not contain the input string provided in the field.

    Not Equals: Filters only the alerts that are not equal to the input provided in the field.

    Not Contains/Not Equals: If the selected property is not there in the alert, it is considered as matched.

    Example: Property value is “ABC”.

    Resource “A” belongs to two resource groups - ABCDEF AND XYZ. In this case, there is No Match.
    Resource “B” belongs to resource group - PQRS. There is Match.
    Resource “C” belongs to no resource group. There is Match.

  13. Click the + symbol to add more rules.

  14. In the Policy Definition section, enter the Inference subject. You can use alerts and resource tokens to configure the inference subject. If a subject is not entered, the subject of the first alert is considered as the inference subject.

  15. Select Alert sequence recommended by the machine learning model or Within time window for how you want to correlate using time.

    • Use Alert sequence recommended by the machine learning model to upload a .CSV file to configure topology.
    • Use Within time window to select the time from the list.
  16. Optionally, click + Add Similarity Rule and select the attribute, and specify the matching condition from the list.

Edit an alert correlation policy

Your ability to edit a correlation policy depends on the client you have selected.

  • If you do not have a client selected, you can edit partner-level policies.
  • If you have a client selected, you can edit client-level policies for the selected client.
  1. Go to Setup > Alerts > Alert Correlation.
  2. For client-level policies, select a client in the Select Client list.
  3. On the Alert Correlation Policy page, select the policy you want to edit.
  4. Click Edit and change the policy details.
  5. Click Save.

Change an alert correlation policy mode

You can change the mode of the correlation policy on the Alert Correlation Policy page.

  1. Go to Setup > Alerts > Alert Correlation.

    The Alert Correlation Policy page is context-sensitive to the client or partner selected.

  2. On the Alert Correlation Policy page, select the mode in the Mode list.

    The selected mode is displayed in the Mode column.

Delete an alert correlation policy

Your ability to delete a correlation policy depends on the client you have selected.

  • If you do not have a client selected, you can delete partner-level policies.
  • If you have a client selected, you can delete client-level policies for the selected client.

When you delete an alert correlation policy, the correlation of alerts getting newly ingested to the system and matching the deleted alert correlation policy does not happen. Alert correlation policies are deleted in the following situations:

  • The device/resource generating the alerts is unavailable.
  • You do not want to correlate the alerts.

To delete the alert correlation policy:

  1. Go to Setup > Alerts > Alert Correlation.

  2. For client-level policies, select a client in the Select Client list.

  3. On the Alert Correlation Policy page, select the checkbox next to one or more of the policies and click Remove.

  4. On the confirmation dialog, click Yes to delete.

    The selected alert correlation policy gets deleted.

Define correlation precedence

Precedence determines the order of execution for an alert correlation policy. For example, if VMware is part of an agent status alert correlation policy and a network outage alert correlation policy, you can determine which alert correlation policy should execute first to correlate VMware alerts.

  1. Go to Setup > Alerts > Alert Correlation.
  2. Select a client in the Select Client list.
  3. Drag and place the inference in the appropriate row to adjust the order. The number in the alert correlation policy Precedence column changes accordingly.

View alert sequences

Alert Sequence Clusters help you to visualize the detected alert sequences in your environment. You can view the alert sequences detected from the existing alert data and sequences related to an inference.

These sequences are unmodified alert sequences fetched from the existing alert data.

Similar alert sequences are grouped and enter a count for each sequence to help visualize the alert sequences and the number of times alerts are triggered in a sequence.

The alert sequence clusters window serves as a verification of ML correlation. For example, if ML correlates alerts _cpu.utilization_ and _system.ping_, you can use the Alert Sequence Clusters window to find the sequences that have both _cpu.utilization_ and _system.ping_.

View alert sequences detected from existing alert data

  1. Go to Setup > Alerts > Alert Correlation.
  2. Select a client in the Select Client list.
  3. Click an ML-based alert correlation policy. You can easily identify an ML-based alert correlation policy. The ML Status against the policy includes status, such as Training Started or Ready.
  4. In the Policy Definition field, click Detected alert sequence patterns in alert data.
  1. Go to Command Center > Alerts and click the inference alert ID.

  2. Click the Correlated Alerts tab.

  3. In the list of correlated alerts, click Show detected alert sequence patterns.

    Detected Sequences of an Inference
    Alert Sequence Clusters window is displayed.