Hello All,
When using Correlation rule actions to send email alerts, what options exist to keep the emails from occurring if they have occurred X number of times in the last X number of minutes/hours?
Note: The Rules in place today are using the persistent event configuration so that emails are only sent after the condition is satisfied for 3 minutes.
Adding Hysteresis to alarm templates is not a good option as we don't always want to hide flapping alarms.
I'm also curious if there is an option to Mask alarms after X occurrences - which should also keep emails from being sent once masked.
Thank you in advance!
Hello Thomas,
Dataminer does not provide an out-of-the-box mechanism to automatically mask alarms after X occurrences. However, the Correlation Engine can be used to perform actions when complex conditions and logic are met.
In your specific case, if you already have a main correlation rule that triggers the notification under the expected conditions and you want to monitor or count how many times it fires, you could generate a correlated alarm for each occurrence. Then, using a second correlation rule, you could implement logic that calls an Automation script to mask the base alarms, disable the first rule, or perform any other action suited to your workflow.
In short, it would always require a custom solution.
Paulo
Yes, the second rule would include a filter that matches the correlated alarm raised by the first rule. Then, in the Rule Condition section, you can use a script condition, for example, 'count(*) > 4' combined with one of the evaluation options other than Immediate evaluation.
It will likely require some testing and iterative adjustments to fine-tune the rule until it behaves exactly as you want.
Thank you Paulo. To confirm, with an additional correlation rule, we can build logic to count the number of times an alarm occurs over a time period? would this be through the use of script-based conditions (rather than filter-based conditions)?