Assign a runbook to alerts

Assign a runbook to alerts for easier automated resolution.

Important: in runbook policies, the actions from every matching condition set are executed. Policies are triggered upon alert creation only.

About this task

In this example, you want to have a runbook take action when you receive alerts warning that your disk space is filling up. The runbook could delete the contents of the /tmp directory to free up space. You can create a policy to use this runbook every time alerts warn of your disk space becoming full.

Note: This example assumes you have a runbook that is called Clear tmp directories. For information about setting up runbooks, see Runbooks.

Example

  1. Click the navigation icon at the upper-left corner of the screen to go to the main navigation menu.

  2. In the main navigation menu, click Operate > Automations.

  3. Click Create policy.

  4. Click the Assign a runbook to alerts tile.

  5. Enter a name in Policy name, for example, "Clear tmp directories". You can also add an explanation of the policy in Description to help you and others understand the purpose of the policy, for example, "Policy to assign a runbook to alerts that indicate that disk is full due to /tmp filling up".

  6. Set the Execution order to 50.

  7. Define how the policy is triggered to assign a runbook to alerts. Once triggered, it will look for alerts that match the conditions you specify in order to take action. The policy triggers are when an alert is created, updated, or both. Updated means the alert state changes. For example, if an alert changes from Severity 1 to Severity 5. In this example, select An alert is created.

  8. Define the following conditions for alerts that will assign a runbook to alerts:

    1. Click Add condition and select Alert property.
    2. From the Property drop-down list, select alert.type.classification. You can type "class" and the system will show in the property drop-down list all alert properties that contain the text "class", which in this case is only alert.type.classification. From the Operator drop-down list, select equal to. From the Matches drop-down list, select only. In the Values field, enter Disk Full and select String:Disk Full.
    3. Click Add alert property condition.
    4. From the Property drop-down list, select alert.severity. From the Operator drop-down list, select greater or equal. From the Matches drop-down list, select only. In the Values field, select 5-Major.
    5. Click Add alert property condition.
    6. For the third condition, select summary from the Property drop-down list. From the Operator drop-down list, select contains. From the Matches drop-down list, select only. In the Values field, enter /tmp and select String:/tmp.

  9. In Assign Runbook(s), select one or more runbooks from the list to assign. In this example, select the Clear tmp directories runbook.

  10. Review the list of parameters that are required for each runbook selected. You must decide how the values of the runbook parameters are filled by creating a parameter mapping. Select from the following mapping options:

    • Choose from alert: Select the name of an alert field from the tree view, its value will be passed to the runbook parameter. For string variable type parameters only, you can select alert.details as the alert property. The Details name field is an optional input where you can minimize the scope to a singular key within the alert's details. For example, if you enter specificKey in the Details name field, it is understood as alert.details.specificKey. You must enter a string value that matches a key from an alert's details.

      Note: For runbook parameters you can send only specific alert details by name and not the entire alert.details object. You must enter a string value in the Details name field.

      Important: The parameter Type is displayed on the UI. If this option is selected, you should select alert fields that contain matching types of data. For example, strings vs integers.

    • Enter static value: A fixed value for the parameter at runtime.

    • Choose at runtime: After launching the runbook from the incident page, if this option is selected, you must provide a value at runbook execution time. Sometimes the default value as set in the runbook is prefilled for the parameter, in this case just edit the value at execution time.

    • Use default parameter value: If the runbook defines a default value for this parameter, you can use that value. This option is grayed out if no default was set in the runbook.

For this example, select Use default parameter value.

Example runbook policy

Suppression policy
Figure. Supression policy

  1. Click Create policy.

New and updated policies can take up to 2 minutes to take effect.

Note: If more than one runbook policy is triggered for the same alert and the same runbook is assigned, the policy parameter selections from the last matching condition set or policy are passed to the runbook.