View inferences

Alerts are correlated based on patterns specified in alert policies to create an inference with a unique ID. You can view the inference details from the Alerts page.

  1. Go to Command Center > Alerts.

    Inferences are indicated with a blue icon next to the alert subject:

    Inference Stats Widget

    The subject also includes a count of correlated alerts for the inference:

    Inference Stats Widget

  2. Click the ID of the inference to view the details.

    The details page has the following tabs for viewing inference details:

    • Details
    • Alerts History
    • Correlated Alerts
    • Incidents

View processed inferences

To view the number of inferences associated with a policy:

  1. Go to Setup > Alerts > Alert Correlation and select the required policy.

  2. Select a client from the Select Client list.

  3. Click the number in the Processed Inferences column to view the details of the inferences.

    Number of Processed Inferences

    The list of processed inferences is displayed on the Alerts page.

    List of processed inferences

Remove alerts from an inference

You can remove alerts from an inference. For example, if you do not want an alert to be correlated, you can remove an alert from the inference. The removed alert then is displayed on the alerts browser as an individual alert.

If an inference has two correlated alerts, removing one correlated alert makes both alerts individual alerts.

Alerts can be removed from an inference on the list of Correlated Alerts from the Alerts window, or on the Correlated Alerts tab of the alert Details page.

  1. Go to Command Center > Alerts.

  2. On the Alerts page, click the number adjacent to the inference subject.

    View Correlated Alerts

  3. Select the required alert and click Remove.

    Delete Correlated Alerts

  4. Click Yes to the confirmation message.

    The alert is removed from the inference. A comment is added to the Details tab of the inference.

    Alert Removed from an Inference

Make alert as RCA from an inference

If we have numerous alerts under inference and need to choose one crucial alert as the primary alert from the list and perform a root cause analysis for this inference, we use the term RCA (Root Cause Alert). This will help you in identifying the critical or warning alerts from a list of several alerts and take appropriate action.

Users can only select one alert from the list to be tagged as an RCA, and once you’ve done so, the inference subject line changes as well. You also have the option of modify the subject of the chosen alert that you chose as RCA. This is only supporting for correlated alerts type.

To make the correlated alert as RCA from inference, follow the steps below:

  1. Go to Command Center > Alerts.
  2. On the Alerts page, click the number adjacent to the inference subject.
Alert Removed from an Inference
  1. Select the required alert which you want to make RCA and then click on RCA.
Alert Removed from an Inference
  1. Click the Submit button. Update the subject line from here if you wish to change it.
  2. From the inference, the alert is submitted as RCA. The RCA alerts can be seen in a list with a warning icon for an easy identification.
Alert Removed from an Inference

Create an inference stats widget to view inference statistics

The Inference Stats widget displays the statistics of inferences generated within a partner/client.

The widget displays the following information:

StatisticDescription
Total EventsTotal events generated.
Total AlertsTotal alerts created after ingestion.
Total InferencesTotal inferences generated.
Total Correlated AlertsTotal alerts correlated.
Volume OptimizedPercentage of reduction in alerts volume due to alert correlation.

  1. Go to Dashboards > Classic Dashboard.

  2. Ensure you have the correct client selected.

  3. Click Add Widget.

  4. Click Continue to edit the dashboard.

  5. From the OTHER PREDEFINED WIDGET section, click Inference Stats.

  6. Configure the following parameters:

    ParameterDescription
    Time RangeSelect the filter for inferences triggered within a certain time span.
    Refresh everySelect the frequency for refreshing the statistics in the widget.
    Inference StatsThe inference stats will include Enabled policies only.
    Widget TitleEnter a title for the widget on the dashboard.
    Chart StyleThere is only one chart style available for the inference stats widget.

  7. Click Save. Inference Stats widget is created and is displayed on the Dashboard.

    Inference Stats Widget
    The total number of inferences and the total number of correlated alerts created from the enabled correlation policies appear in the widget. The volume optimization is based on inferences and correlated alerts created from the enabled correlation policies.