Group alerts based on scope

Group alerts based on common properties and time of occurrence to identify when issues might be related. When related alerts are grouped based on their scope, you can view the details in the Alert Viewer.

For example, a scope-based grouping policy might be to group events together that occur at the same physical geographical location within a 5 minute window. The scope can be any attribute that makes sense in the context of the correlation: the same application group, business unit, or physical building.

Note: There can be multiple scope-based policies each with different time windows.

IBM Cloud Pak for AIOps includes two scope-based grouping policies:

  • Group alerts that have the same resource name (host name), and use a 15 min rolling window (default).
  • Group alerts that come from a Netcool environment where the ScopeID field is set, based on its value, and use a 900 second rolling window.

The default scope-based policy in Cloud Pak for AIOps is a correlation on alert.resource.name constrained by a rolling window of 15 minutes. By using this template, you can override the default scope-based groupings.

Note: Alerts in Cloud Pak for AIOps can have multiple scopes and be members of more than one scope-based group at once. If groups have common events, these groups are automatically merged in Cloud Pak for AIOps into super groups.

About this task

In this example, you want to scope alerts by their cluster name and by their location.

Example

  1. Click the navigation icon at the upper-left corner of the screen to go to the main navigation menu.

  2. In the main navigation menu, click Operate > Automations.

  3. Click Create policy.

  4. Click the Group alerts based on scope tile.

  5. Enter a name in Policy name, for example, the name can be "Sales region 2 scope policy". You can also add an explanation of the policy in Description to help you and others understand the purpose of the policy, for example, "Scope alerts from the sales region 2 cluster by location".

  6. Set the Execution order to higher.

  7. Define the following conditions for alerts that will activate scope-based alert grouping, based on the ScopeID that is specified:

    1. Click Add condition and select Alert property.
    2. From the Property drop-down list, select alert.resource.cluster. You can type "cluster" and the system will show in the property drop-down list all alert properties that contain the text "cluster", which in this case is two properties.
    3. From the Operator drop-down list, select equal to. From the Matches drop-down list, select only.
    4. In the Values field, enter SALES.REGION2.CLUSTER and select String:SALES.REGION2.CLUSTER.

  8. Add alert properties, strings, or both to create the ScopeID for this group. These properties define the scope for how the alerts are grouped. If alert.details is selected in the property field, a secondary input box is displayed underneath. The Details name field is an optional input where you can minimize the scope to a singular key within the alert's details. For example, if you enter specificKey in the Details name field, it is understood as alert.details.specificKey. You must enter a string value that matches a key from an alert's details.

    Note: For ScopeID you can send only specific alert details by name and not the entire alert.details object. You must enter a string value in the Details name field.

    In this example, the two alert fields in ScopeID are separated with string ":". This will group all alerts from the cluster (SALES.REGION2.CLUSTER), but sub-divide them based on their locations (for example, Dallas, New York).

    Tip: To reorder the ScopeID fields, click on the Draggable icon Draggable within a 'Value of' or 'String' field and move it to the desired location in the ScopeID field.

    For this example specify the following ScopeID:

    1. Click anywhere in the properties field and select alert.resource.cluster (or type "cluster" and select it from the options displayed).
    2. In the same field, enter a colon ":" and select String::.
    3. Finally, click in the field again and select alert.resource.location (or type "location" and select it from the options displayed).

    Example scope-based policy

    Scope-based policy
    Figure. Scope-based policy

  9. Specify a Time window (in seconds) to group alerts that match the scope. The minimum value is 10 seconds. The maximum recommended value should not exceed 3600 seconds (1 hour).

    Select the time window Type:

    • Rolling: The time window value is the threshold number of seconds that need to pass with no further alerts, after which the system stops including alerts in the group.
    • Fixed: The time window value is a set amount of time during which incoming alerts are included in the group.

    Time window
    Figure. Time window for scope-based policy

  10. Click Create policy.

Scope-based alert grouping is activated for alerts that match the condition, based on the ScopeID specified.

New and updated policies can take up to 2 minutes to take effect.