Hi All,
Reference email alerts.
I have set up a correlation script to email when a bit rate goes into alarm.
However, I get an email every minute.
I want only one email when there is the first alarm & there are multiple alarms.
What do I set in the correlation script to send one email at the first alarm, but not at subsequent alarms, please?
Kind regards,
Mark
Hi Alberto! thank you also for your feedback. I will try both your ideas & Thomas’s. The alarms have say an hour between them, so maybe widening out the sliding window would help. Kind regards, Mark
Hi Mark,
This may not be the best approach, but from my testing, it seems that you can enable a sliding window with a specified time span. (E.g. 1 hour)
The correlation actions will be executed the first time an alarm that matches your filter pops up, but any other alarms will be ignored for that specified amount of time. Every time a new alarm is generated during that time frame, the timer is reset. So in essence, the correlation actions will only be executed again if a new alarm is generated after X amount of time has passed since the last alarm. Also note that this last alarm needs to be cleared. As long there is an active alarm matching your filter, no actions will be executed.
If this is the desired behavior, you could give that a shot.
Again, not a Correlation expert. There may be better ways of doing this, which could be posted here early next week.
Hello Thomas, thank you for your feedback. Much appreciated! I will try this. Kind regards, Mark
Good suggestion Thomas. Note Mark that this requires the trigger at the top to be set to Immediate Evaluation. Some more documentation and insights are available here: https://docs.dataminer.services/user-guide/Advanced_Modules/Correlation/Adding_rule_conditions_in_Correlation_rules.html?q=slidingwindow
I seem to recall that the 1st alarm entry would have “alarm ID” = “root alarm ID” – you can check this from the related columns in alarm console.
If that’s the case, this might be an option to filter out the other alarms (e.g. if the severity evolves from major to critical) – on the other hand, in terms of user case scenario, would you need to keep trace via email if the alarm gets cleared at some point? So that users don’t need to go and check the alarm when already cleared?
Alternatively – do you need to keep trace if the severity changes between Major & Critical?
Based on these additional condition, the possible implementation can evolve.
I think Thomas’ suggestion below is also a good shout – essentially you can manage this by filtering the triggers for your email notification, or by tuning the correlation on the triggers you already have – both approaches would work, it’s a rather a design preference. I’ll try to add some screenshots when I have a chance