Set a threshold to suppress alert generation

You can configure an event rule to suppress alert generation according to a threshold based on the value of event fields or number of occurrences, over a period of time.

Before you begin

Role required: evt_mgmt_admin, evt_mgmt_operator

About this task

Configure the properties in an event rule to suppress alert generation, create alerts, or close existing alerts according to the specified threshold.
Note: Threshold metric can be the name of any numeric field in the Additional information field of the event. Therefore, if cpu is an additional information field for a specific event, then cpu can be used as a Threshold metric.
Assume you want to generate an alert when CPU utilization reaches or exceeds 80% where there is a period of 20 seconds between events. Create an event rule with these settings (an explanation for each value is given in parenthesis):
  • Threshold metric: cpu (events regarding high CPU usage)
  • Create alert operator: = > (operator to determine whether utilization of Threshold metric reaches or exceeds the specified value)
  • *: 80 (percent)
  • Occurs: 3 (three events occur where the cpu usage is equal to or above "=>" 80%)
  • Over: 20 (over twenty seconds between each event)
To demonstrate how the above settings are evaluated, assume that the following events are received:
First scenario
Reported elapsed time and the cpu usage for each event:
  • First event elapse time 20, cpu=85
  • Second event elapse time 40, cpu=80
  • Third event elapse time 60, cpu=70

In this scenario, no alert is generated since one event has a CPU utilization that is under 80%.

Second scenario
Reported elapsed time and the cpu usage for each event:
  • First event elapse time 20, cpu=85
  • Second event elapse time 40, cpu=90
  • Third event elapse time 70, cpu=95

In this scenario, an alert is not generated since the elapsed time in one event is over the specified 20 seconds.

Third scenario
Reported elapsed time and the cpu usage for each event:
  • First event elapse time 20, cpu=85
  • Second event elapse time 40, cpu=95
  • Third event elapse time 60, cpu=90

In this scenario, an alert is generated since in all events the elapsed time is within the specified time and the cpu usage is over 80%.

Note: When configuring an event rule to create or close alerts according to a threshold, events that arrive at the same second, as determined by the time_of_event field, are skipped as they are considered to be duplicates.

Procedure

  1. Navigate to Event Management > Rules > Event Rules.
  2. Create or open an event rule.
  3. In the simple or advanced view, select the Threshold check box and enter a Threshold metric value.
  4. To automatically open alerts, select a Create Alert Operator and configure the corresponding Occurs and Over fields.
  5. To automatically close alerts, select a Close Alert Operator and configure the corresponding Over fields.
  6. Fill in the remaining rule fields as necessary.
  7. Click Submit or Update.

Example

To create an alert when a specific event occurs 5 times in 10 minutes, in the Threshold tab, specify the following properties:
  1. Select the Active check box.
  2. In the Threshold metric field, specify the name of any additional information field that exists in the event. The value of the field is irrelevant.
  3. In the Create Alert Operator field, select Count.
  4. In the Occurs field, specify 5.
  5. In the Over field, 600 (10 * 60 seconds).
  6. Click Submit or Update.