Hi All,
Reference email alerts.
I have set up a correlation script to email when a bit rate goes into alarm.
However, I get an email every minute.
I want only one email when there is the first alarm & there are multiple alarms.
What do I set in the correlation script to send one email at the first alarm, but not at subsequent alarms, please?
Kind regards,
Mark
Hi Alberto! thank you also for your feedback. I will try both your ideas & Thomas’s. The alarms have say an hour between them, so maybe widening out the sliding window would help. Kind regards, Mark
Hi Mark,
This may not be the best approach, but from my testing, it seems that you can enable a sliding window with a specified time span. (E.g. 1 hour)
The correlation actions will be executed the first time an alarm that matches your filter pops up, but any other alarms will be ignored for that specified amount of time. Every time a new alarm is generated during that time frame, the timer is reset. So in essence, the correlation actions will only be executed again if a new alarm is generated after X amount of time has passed since the last alarm. Also note that this last alarm needs to be cleared. As long there is an active alarm matching your filter, no actions will be executed.
If this is the desired behavior, you could give that a shot.
Again, not a Correlation expert. There may be better ways of doing this, which could be posted here early next week.
Hello Thomas, thank you for your feedback. Much appreciated! I will try this. Kind regards, Mark
Good suggestion Thomas. Note Mark that this requires the trigger at the top to be set to Immediate Evaluation. Some more documentation and insights are available here: https://docs.dataminer.services/user-guide/Advanced_Modules/Correlation/Adding_rule_conditions_in_Correlation_rules.html?q=slidingwindow
Hi Mark - when you refer to the first alarms, and not the subsequent, I assume the subsequent alarms are the same as the first ones? In other words, the alarm triggers, then clears, and triggers again, etc.
In these situations, you might also consider hysteresis on the alarm threshold. When the bitrate then drops below the threshold, it will generate an alarm, and that alarm will persist for a given time, even if the bitrate is back above the threshold again into the clear (if you use the clear hysteresis). And/or alternatively you can (using the alarm hysteresis) also opt to only trigger an alarm if the bitrate dropped for some time, and not immediately.
I guess it entirely depends on whether you consider the alarm situation for a given metric to exist only for as long the value is above or below threshold, or if you want an alarm to exist if the metric as above or below the threshold in a given time span. This choice is also related to how you run the operation, i.e. a brief drop of the bitrate will only show a brief alarm (in case no hysteresis is applied), but would you consider that to be an 'alarm situation' that needs to be visible for people, even after the bitrate returned to normal values.
Just FYI - might not apply here in your use case. And there's also a variety of other options, you could also use the correlation for example to say that you only want an e-mail if that bitrate alarm happened at least x times in the past 5 minutes. Also in that case you will not get multiple alarms. But the difference would be that with Thomas his suggestion you get an email immediately for the very first occurrence and not for the subsequent ones, with the count you would only get an email after it happened x times in y time.
Feel free to circle back Mark if you haven't find the right fit for your specific use case. And thanks for being part of the community!
I seem to recall that the 1st alarm entry would have “alarm ID” = “root alarm ID” – you can check this from the related columns in alarm console.
If that’s the case, this might be an option to filter out the other alarms (e.g. if the severity evolves from major to critical) – on the other hand, in terms of user case scenario, would you need to keep trace via email if the alarm gets cleared at some point? So that users don’t need to go and check the alarm when already cleared?
Alternatively – do you need to keep trace if the severity changes between Major & Critical?
Based on these additional condition, the possible implementation can evolve.
I think Thomas’ suggestion below is also a good shout – essentially you can manage this by filtering the triggers for your email notification, or by tuning the correlation on the triggers you already have – both approaches would work, it’s a rather a design preference. I’ll try to add some screenshots when I have a chance