Cloud Event Manager - 11 tips and hints

Here are Supports top 11 items which apply to CEM SaaS, a few items below specifically address changes which have just gone live

1    When do notifications occur (the number 1 question)
       - notifications (based on policies, or see the note) occur when:
          + Incident is created
          + Incident is assigned (there are cases where resolved incidents can return to this state)
          + Incident is placed in-progress
          + Incident is escalated
          + NOT WHEN in incident is resolved
          + When in incident is closed (be aware everyone previously notified about this incident is notified about the closure
          + Known issue - we cannot check for state in the policies (there is an issue open) to suppress the closure notification
     - The outgoing notifications from CEM are based on the same notification strategy described above… So these webhooks are notified as above
 

        https://www.ibm.com/support/knowledgecenter/en/SSURRN/com.ibm.cem.doc/em_setupincidentpolicies.htm

 

2    Why does my incident have that name? And what can I do about that? (2nd most common question)
        - Incidents are named based on the correlation rule used (the common field within the events used to correlate) the list below is in the order of precedence 
           + resource.correlationKey - when used the incident title is based on the Summary of the first event (all the rest use the value of the correlating field)
           + resource.cluster
           + resource.application
           + resource.hostname
           + resource.ipaddress
           + resource.controller
           + resource.sourceId
           + resource.service
           + resource.name (the only mandatory field)  
       - What can be done about the name (enrichment with event policies)
           + The field used to correlate can be enriched (impacting future events/incidents)
           + if controller is being used to correlate as an example, cluster could be enriched with a more descriptive name altering future correlation  
           + if correlation key is being used, summary can be enriched/replaced with a more meaningful title    
 
3    Have there been changes to event/incident policies
        -  there is a new condition available to test for the resolution state of an event            
 
4   Why does the scheduling page look different
      - scheduling has been rewritten into React and offers a number of usability improvements
          +  key changes, you no longer have to give your schedule a name unless saving it as a reusable pattern
          + you must select the base assignment timezone before being able to define the schedule
          + the transition from pattern view and schedule view has been improved
          + the first week of shifts now display on the schedule view (without moving forward and back one week)
          + auto assignments are now working ( there must be an alignment between operator settings (work hours, on call availability, timezone) with the shifts for auto assignment to occur
          + shifts can be created on the pattern view, by click drag and release, shifts in the same time slot across multiple days is treated as series
          + series can be staffed by series or by individual shift option
 
5  How to do a custom integration if the incoming webhook you need is not provided in the list
     - This question occurs often.... To aid in this, there is a new how to you can reference. The example is for sysdig but its applicable to anything as it help the user understand jsonata
        + https://www.ibm.com/support/pages/how-integrate-ibm-cloud-monitoring-sysdig-cloud-event-management
        + the key take away's from this example are taking your event sources json and placing into box 1…. And then writing the jsonata rules to extract that into an event in area 2
        + ultimately creating a valid event in Result which can be tested with Generate 

6  If the out of the box incident policies set incident priority based on correlated event severities, how can I have a priority 1 incident when the highest contained severity of the events is major?
     - There may be an incident policy raising the priority of this particular incident
     - As events have cleared, its possible the severity of deduplicated clear events were lowered. Severity will change on a dedup. Priority is not lowered in this case but reflects the highest received event severity.
 
7  Why cant I assign, place in-progress or run a runbook for an incident?
       - A user must be added to one or more groups to perform any of those actions.
 
8  What is the escalation train and how can I stop it? 
      - In incident policies you can define a set of escalations (each occurs after a timed period [set in the policy) following the first notification)
      - to stop this train you place the incident into the in-progress state
      - as noted above when the incident closes, all users who received escalations will receive closure notification
 
9  What can I do/not do with Mobile?
    - You can receive mobile notifications on your phone when your logged in user is the target of an incident notification
    - You can view details, view timeline, view events, assign, place in progress, on hold, comment on, and resolve incidents
    - You can launch URLs embedded in events
    - You cannot run runbooks, manipulate policies, edit users and groups from mobile
 
10  What don’t we have in CEM
      - Event archive, ability to view events directly
      - no dashboard which shows us the state of notifications, all who have been notified, all who have been escalated too, and their response times
 
11  Why do mobile calls increase my digital messages total differently then SMS's?
      - Voice calls cost IBM approximately 3 times more than do SMS messages.   
      - Each voice call there counts as 3 against this total, and each SMS counts as 1.    
 

****************************************************************