Supported Anomaly insights properties
In a policy condition set, you can suppress alerts and create reports from alerts by using the following types of Anomaly insights properties:
| Property | Description | Type | Possible values |
|---|---|---|---|
httpErrorCode.name |
HTTP error code | string |
400, 401, 403, 408, 429, 500, 502, 503, 504, 5xx |
httpErrorCode.unit |
Unit for the HTTP error code KPI | string |
Count |
exception.name |
Name of the exception (for example, a token that contains the string exception found within a Log) |
string |
|
exception.unit |
Unit for the exception KPI | string |
Count |
messageId.name |
An IBM WebSphere MQ message ID | string |
|
messageId.unit |
Unit for the message ID KPI | string |
Count |
metric.name |
Metric name | string |
|
metric.unit |
Unit for the metric KPI (for example, bytes, mb, ms, s) | string |
|
actualValue |
The observed value for a KPI. | number |
|
expectedlValue |
The expected value for a KPI. | number |
|
expectedRange.upperThreshold |
The expected upper bound of the count/frequency of the KPI in a given time aggregated window. | number |
|
expectedRange.lowerThreshold |
The expected lower bound of the count/frequency of the KPI in a given time aggregated window. | number |
|
resourceAggregator |
This field is optional. An entity in the underlying client application that can be used to logically aggregate all anomalies that are related to the same application resource. For example, in the context of Metric anomalies this would be a server that might be used to aggregate anomalies across all ports exposed by that server. For Log anomalies, this might be a Kubernetes ReplicaSet that aggregates all the pods it manages. | string |
Using properties for alert suppression
Scenario 1: Alert suppression based on HTTP error codes
You might expect the system to generate certain HTTP error types at regular intervals. However, these alerts do not require action and you do not want alerts and incidents generated based on these errors. You can enable alert suppression to avoid new alerts from being generated.
Scenario 2: Alert suppression based on exceptions present in log messages
Some exceptions present in log messages might not be a priority or cause any outages for your environment. As a result, you might want to suppress any alerts that are generated by these exceptions captured in logs.
Log anomaly suppression policies can reference only computed or derived entity values from the RSA algorithm, such as the exception name. To suppress certain log anomaly alerts based on the exception name, go to the IBM Cloud Pak® for AIOps
Suppress Alerts automation page. Then, from the Alert insight category suppression options, choose the insight.details.kpi.exception.name property. However, you cannot define a log anomaly suppression policy that references
the string message that is found in the log record.
Scenario 3: Alert suppression based on domain-specific error code entities that are present in the logs
Domain-specific logs, such as IBM MQ or WebSphere, include error code entities that you can use to set policies to suppress alerts. For example, use the insights.details.kpi.messageId.name field in an Anomaly insights condition
set to suppress alerts that match that entity.
Using properties for creating runbooks
Scenario 4: Create a runbook based on resource name
Use the resourceAggregator field in an Anomaly insights condition set to create a runbook based on resource name.
Using properties to invoke IBM® Tivoli® Netcool®/Impact
Scenario 5: Invoke Netcool/Impact based on metric name
Use the metric.name field in an Anomaly insights condition set to invoke Netcool/Impact based on metric name.
