Correlated alert groups

Service Analytics groups alerts that are very similar, but not necessarily identical, into correlated alert groups that represent the underlying event data. You can then review these groups in the Event Management dashboard and in the alerts console. You can analyze issues, and create an incident directly related to a correlated alert group.

Some of the alerts in the system are generated for CIs that are part of the definitions of business services, technical services, or manual services. Alerts can also be included in user-defined alert groups for which the alert meets the specified criteria. Service Analytics aggregates these alerts into correlated alert groups.

If the Domain Support - Domain Extensions Installer plugin is activated, then alert aggregation is applied at the domain level that is specified by the sa_analytics.agg.learner_domain_level property. By default, this property is set to 2, which is the second domain level in the domain hierarchy.

Alert aggregation

Alerts are grouped based on the CI that is associated with the alerts and on how close in time the alerts were created.

Alerts for technical services, manual services, and alert groups are not associated with a service model and do not undergo RCA. Other than being correlated by time and CI, the alerts are not necessarily related by the same underlying problem.

Alert aggregation has these components:
Alert Aggregation Learner
An offline job that runs once a day to process past alerts. The Alert Aggregation Learner identifies patterns of related alerts using a combination of pattern-based and probabilistic techniques. If the sa_analytics.agg.learner_group_by_property property is set, then before processing starts, the Alert Aggregation Learner groups alerts by the specified CMDB property.
Real Time Query
A scheduled job that runs every minute and updates alert aggregation groups. It tries to match real-time alerts with alert patterns stored in the alert knowledge base.

RCA for discovered business services

Service Analytics applies root cause analysis (RCA) algorithms if one of the CIs in a correlated alert group belongs to a discovered business service, in order to identify root cause CIs. For a discovered business service, a correlated alert group contains alerts that were generated by the root cause CIs and by related CIs.