Filtering alarms

You can filter the set of alarms output by using the filtered_alarms.txt file.

About this task

You can filter the set of alarms that are generated by the Analytics server for any resource, metric group and metric.

Procedure

  1. Open the $PI_HOME/spl/instances/Analytics<topic name>/config/filtered_alarms.txt file.

    Where <topic name> is the name of the topic to which you want to apply the filtering .

  2. Use a wildcard or regular expression to specify the resource, metric group, or metric and whether the condition means that the alarm is discarded or forwarded.

    The format of a condition must be as follows:

    regex|wild,<resource name>,<metric group name>,<metric name>,<rule type>,
<threshold>,forward|discard|major|minor|warning|critical

    Where:

    • regex means use regular expressions.

      Regular expression example: [Dd]isk_space_.*

    • wild means use basic wildcard matching - supports '*' and '?' only.

      Wildcard example: *_CPU*

    • resource name specifies the name of the resource to filter
    • metric group name specifies the name of the metric group to filter
    • metric specifies the name of the metric to filter
    • rule type sets the type of rule to include in the filter condition and can be one of the following:

      actual_expected checks if both the actual and expected values are less than or equal to the threshold

      actual_only checks only if the actual value is less than or equal to the threshold

      expected_only checks only if the expected value is less than or equal to the threshold

      delta checks if the difference between the actual and expected value is less than or equal to threshold

      higher checks if the actual value is higher than the expected value

      lower checks if the actual value is lower than the expected value

    • threshold specifies the numerical value against which the rule type is compared
    • forward means forward all matching alarms.
    • discard means discard all matching alarms.
    • major means set the severity of all matching alarms to major
    • minor means set the severity of all matching alarms to minor
    • warning means set the severity of all matching alarms to warning
    • critical means set the severity of all matching alarms to critical
    • * or an empty string ensures that the test always passes for regex or wild.

    The first condition that is matched is used.

    Note: The filtered_alarms.txt file is read dynamically at every interval so you do not need to restart Predictive Insights after you update the file.

Example

The following are examples of filters:

  • wild,*,*,*,forward

    Forward all alarms -> no other rule will be read after.

  • wild,,,,forward

    Forward all alarms -> no other rule will be read after. (same as the previous example - null equals all pass)

  • wild,*,NTPROCSSRGroup,*,forward

    Forward all metrics in the metric group NTPROCSSRGroup.

  • wild,*,NTPROCSSRGroup,%*,forward

    Forward all metrics that begin with the percent symbol (%) AND are in the metric group NTPROCSSRGroup.

  • regex,*,NTPROCSSRGroup,%.*,forward

    Same as the previous example, but uses regular expressions instead of wildcards.

  • wild,*,NTPROCSSR*,*,discard

    Discard all alarms that are emitted from metrics in the metric group NTPROCSSRGroup.

  • wild,*,*,*Space_Available*,forward
wild,*,*,*,discard

    Forward alarms with metric names that contain Space_Available only.

  • wild,brayz1*,UNIXDISKGroup,*,forward
wild,*,*,*,discard

    Forward alarms with resource names that start with brayz1 and resource group in UNIXDISKGroup only 

  • wild,brayz1*,UNIXDISKGroup,Inodes_Used,forward
wild,*,*,*,discard

    Forward alarms with resource names that start with brayz1 and resource group in UNIXDISKGroup and metric name Inodes_Used only 

  • wild,router-sw49.tut.com,ResptimeGroup,Maxresponsetime,delta,1000,discard
wild,router-sw49.tut.com,ResptimeGroup,Maxresponsetime,delta,2000,minor
wild,router-sw49.tut.com,ResptimeGroup,Maxresponsetime,delta,3000,major
wild,router-sw49.tut.com,ResptimeGroup,Maxresponsetime,critical

    Gradually increases the severity of the alarm as the deviation between the actual and expected values increases. If the delta of the actual and expected value is less than or equal to 1000 the alarm is discarded . If this condition is not met, Predictive Insights checks the remaining lines and sets the severity to the appropriate value depending on which condition is met. For example, if the delta of the actual and expected values is greater than 2000 but less than 3000, the condition in the third line of the example is met and the alarm severity is set to major.

  • wild,router-nw57.tut.com,ResptimeGroup,Maxresponsetime,actual_only,50,minor

    Set the severity of the alarm to minor if the actual value of the Maxresponsetime metric is less than or equal to 50.

  • wild,router-nw57.tut.com,ResptimeGroup,Maxresponsetime,actual_expected,100,minor

    Set the severity of the alarm to minor if both the actual value and expected value of the Maxresponsetime metric is less than or equal to 100.

  • wild,*,*,*Totalbytes,expected_only,10000000,warning

    If a metric name that ends with Totalbytes has a value less than or equal to 1,000,0000, set the severity of the alarm to warning.