Specify and manage pattern identifier attributes for alert aggregation

Service Analytics alert aggregation learns the alerts and then forms patterns based on a set of alert and CI attributes. You can specify the set of CI and alert attributes that will be used as the pattern identifier attributes for learning patterns, that will result in alert groups that are meaningful in your environment.

About this task

The default attribute used for forming patterns is metric_name. Navigate to Service Analytics > Manage Pattern Identifier to view which pattern identifier attributes are currently in effect, to choose a different set of attributes to deploy, or to define a new set of pattern identifier attributes.

To ensure that the specified pattern identifier attributes used for forming patterns is effective, a sufficient number of alerts must have the respective attributes populated. Therefore, if you specify a new set of pattern identifier attributes, you should do the following to ensure meaningful analysis:
  • Create an event rule that populates the respective attributes.
  • If a large number of existing alerts do not have values for the new set of pattern identifier attributes, ensure to run the Service Analytics Attribute Populator for Historical Alerts job which will use the appropriate event rule to populate attributes in historical alerts. Properties originating from the CMDB CI using dot walking – are not populated.
  • Choose effective identifiers:
    • The set of pattern identifier attributes should not be too unique (for example, the date field is unique for every alert), because it will be impossible to identify any pattern.
    • The set of pattern identifier attributes should not be too common, because it will not be possible to create distinct groups.

Only one set of pattern identifier attributes can be active at a time. A new set of pattern identifier attributes is not automatically implemented until you deploy it. When you deploy a new set of attributes, the current set of attributes that is in effect, becomes inactive. Subsequent queries use the active pattern identifier attributes to perform alert aggregation.

Procedure

  1. Navigate to Event Management and click Manage Pattern Identifier.
  2. On the SA Alert Aggregation Pattern Attributes page click New.
  3. Click the Feature Identifier Attributes icon and in the slush bucket, move attributes from the Available list to the Selected list. You can select the Configuration Item class, and click the '+' sign to display and select its attributes.
  4. Click Submit.
  5. Optionally, activate the newly specified pattern identifier attributes by selecting the pattern identifier attributes that you want to activate and clicking Deploy.

What to do next

After specifying a new set of pattern identifier attributes, ensure that a matching event rule exists that populates the respective alert attributes. Also, run the Service Analytics Attribute Populator for Historical Alerts job to populate the respective attributes of historical alerts, if values are missing in existing alerts.