My goal is to be notified by email every time a given alarm, that is or was before in the Critical severity, drops to Normal. Is there any way to do this with a correlation rule?
The quick approach to set the rule as shown below does not do what we need because in this case, the rule would be triggered as soon as the alarm clears, regardless of having been before in the Critical state. Example: An alarm goes to Major, then drops to Warning and later on, drops to Normal -> in this case I don't want to be notified because this alarm never reached the Critical level.
Hi Paulo,
Have you tried the option 'Execute on clear'?
You can create the alarm filter based on critical severity, then you can configure an action that will execute an automation script (that will send the email notification). Once the alarm clears, the automation script will be triggered again.
In the automation script you could also retrieve additional information about the alarm that triggered the correlation rule (How do I parse alarm info data)
I just found the ‘Execute on clear’ works as long as the action of the rule is not sending an email, e.g., when I change the action to execute an automation script I can see the rule is triggered also when the condition is no longer met. This might be a bug? Anyway, the execute on clear is not exactly what we want.
Maybe one possible solution, is to use an alarm property that would be set when the alarm goes to Critical (this would be done easily with a correlation rule) and then have a 2nd correlation rule that would be triggered when the alarm goes to Normal and that property is set. With these 2 conditions, the 2nd rule would be able to send the email notification at the same time it would reset the alarm property previously set.
Hi Paulo,
For this specific use case, indeed, it will not be possible to use the option ‘Execute on clear’. You will need to trigger your correlation rule whenever there is a change of the severity of that parameter. In the automation script you will need to find a way to retrieve the life cycle of that alarm so you can evaluate the previous severities and trigger the email notification.
Please keep in mind that in the correlation rule you will need uncheck the option ‘Trigger on single events’.
Would adding another filter line with 'Alarm Type' = 'Dropped from Critical', in combination with the one you already defined, solve your issue?
When you say: "An alarm that is or was in Critical state, drops to Normal", do you mean you also want to be notified in case an alarm which was Critical at any point in its life cycle, drops to Normal? That will probably not be possible to achieve without adding code through an Automation script.
In case you only want to catch alarms for which the state was Critical right before dropping to Normal, I suppose the above should work?
Thanks for your comment Ruben.
Indeed I want to be notified “in case an alarm which was Critical at any point in its life cycle, drops to Normal”.
Unfortunately we cannot guarantee the alarm will always drop directly to Normal from Critical, in that case the solution would be easy as you well noted.
Thank you Miguel.
I did try the ‘Execute on clear’ but it does not seem to be working here, when the alarm drops to Normal the action is not re-executed (I checked the SLCorrelation log),
Also, I was trying to avoid to use any automation but it looks like there is no simple way to do this only with correlation rules.