Correlated alert groups

Service Analytics groups alerts that are very similar, but not necessarily identical, into correlated alert groups that represent the underlying event data. Reviewing these groups in the Event Management dashboard and in the alerts console can help in the analysis of ongoing issues.

Some of the alerts in the system are generated for CIs that are part of the definitions of business services, technical services, or manual services. Alerts can also be included in user-defined alert groups for which the alert meets the specified criteria. Service Analytics aggregates these alerts into correlated alert groups.

Alert aggregation for services and alert groups

Alerts are grouped based on the CI that is associated with the alerts and on how close in time the alerts were created. When alerts associated with services are grouped into correlated alert groups, impacted services are also included in the root cause analysis (RCA).

Alerts for technical services, manual services, and alert groups are not associated with a service model and do not undergo RCA. Other than being correlated by time and CI, the alerts are not necessarily related by the same underlying problem.

Alert aggregation for business services

For a business service, a correlated alert group contains alerts that were generated by the root cause CIs and by related CIs.

Service Analytics applies root cause analysis (RCA) algorithms to alerts associated with business services in order to identify root cause CIs. The root cause CI is the CI from which the initial alert was generated, and which subsequently caused other alerts to be generated on the same CI or on related CIs.

Business services are discovered by Service Mapping and represented internally in the system by a service model. The service model of the business service is used for identifying CIs related to the root cause CI.

Correlated alert groups for business services are RCA-correlated alert groups, as noted in the groups' name by an RCA prefix on the Event Management dashboard and alerts console.

By default, RCA is applied for alerts associated with business service CIs, impacting alert aggregation for these alerts. You can modify this behavior by changing the settings of the sa_analytics.aggregation.include_service and sa_analytics.rca_enabled properties for Service Analytics.