A first response policy permits you to auto-suppress alerts as a first response for non-significant alerts.
You must have OpsQ View and OpsQ Manage permissions to manage first response and alert escalation policies.
A training file is required to suppress specific alerts or snooze specific alerts. The training file includes examples of alerts to be suppressed. See Alert Management Training File for more information.
Step 1: Define policy name, scope, and mode
Go to Setup > Alerts > First Response.
Specify Client Select but do not select a client.
Click Create New or + Add, depending on whether you have any existing policies.
Enter a Name for the policy.
Verify that the Policy Scope is PARTNER.
For Client, choose Include All Clients or Include Clients.
If you selected Include Clients, click Add Clients and select the clients to include.
From the Mode list, select a policy mode.
Policy Mode Description ON The policy drives automated actions on alerts. OFF The policy is inactive and does not affect alerts. You can use this mode to review a newly defined policy before choosing one of the other modes. Recommend The policy creates a recommendation for actions that you should take on the alert. Recommendations are based on learned patterns in historical alerts. The recommendation includes a link to take the action. Observed This mode permits you to simulate a policy without affecting alerts.
The policy creates an observed alert, which simulates the original alert. The observed alert shows the actions that would be taken on the original alert if the policy were in
Onmode. The observed alert includes a link to the original alert.
Recommend and Observed modes apply to incident actions.
Step 2: Select filter criteria
Select Filter Criteria.
Choose from Any or All of the defined conditions to apply a filter for the alerts.
Select one of the following attribute types:
- Native Attributes are the predefined attributes.
- Resource Custom Attributes are user-defined attributes.
Select the required attribute, logical operator, and enter the value.
Not Contains: Filters only the alerts that do not contain the input string provided in the field.
Not Equals: Filters only the alerts that are not equal to the input provided in the field.
Not Contains/Not Equals: If the selected property is not there in the alert, it is considered as matched.
Example: Property value is “ABC”.
Resource “A” belongs to two resource groups - ABCDEF AND XYZ. In this case, there is No Match.
Resource “B” belongs to resource group - PQRS. There is Match.
Resource “C” belongs to no resource group. There is Match.
Click + to add multiple filter conditions.
The continuous learning option is only available for client-level policies.
Step 3: Suppress Alerts
Select the first response suppression setting.
Select the Suppress Alerts value:
- Do Not Suppress
- Suppress Always
- Suppress for (minutes or hours)
The First Response Policies page shows the newly created First Response policy. Click Number of suppressions to view more detailed information.
Note that if the alert payload has a source time that is older than the suppression time, the First Response recommendation or suppression is not applied.
Suppress Alerts by Time
An additional Roster custom attribute has been added to help in executing actions that are mentioned in the policy definition (either suppress, snooze or run a process automation) only when Roaster is Active or Inactive.
The Roster filter condition is supported for both Partner and Client level policies. Hence for client level First Response policy, you can only add client specific rosters. And for partner level First Response policy, you can only add partner specific rosters.
To select the Roster custom attribute:
- Select Filter Criteria.
- Select Roster from the Native Attributes drop-down as shown below:
- You can select Active or Inactive.
- Click Save. The alerts will be suppressed that occur during the specific date and time configured in the selected roster.