Create an alert correlation rule

Create an alert correlation rule to specify a primary alert and a related alert that is of secondary importance.

Before you begin

Role required: evt_mgmt_admin or evt_mgmt_operator

Procedure

  1. Navigate to Event Management > Rules > Correlation Rules.
  2. Click New.
  3. Fill in the form fields (see table).
  4. Click Submit.
    Field Description
    Name A descriptive name to identify the correlation rule.
    Order The priority for rule evaluation. Rules with lower order values are given priority. An alert is checked against every alert rule until a match is found.
    Description A description of the rule.
    Active Select to activate the rule.
    Advanced Select to display the script field. This option enables you to script the event correlations.
    Primary Alert The filter condition to identify the alert that is the primary alert, or most important alert, in a set of related alerts. Configure the filter. See an example.
    Secondary Alert The filter condition to identify the alert that is related to the primary alert but is of lesser importance. Configure the filter. See an example.
    Relationship Type Specify the type of relationship between the primary and secondary alert:
    • None: Ignores the relationship between the primary and secondary alerts.
    • Same CI: Both alerts need to be related with the same CI. If the CI field is blank, then the alerts need to have the same Node value.
    • Parent to Child: The relationship between the primary and secondary alert is a parent-child CI relationship in the CMDB (in the CI Relationships table [cmdb_rel_ci]).
    • Child to Parent: The relationship between the primary and secondary alert is a child-parent CI relationship in the CMDB (in the CI Relationships table [cmdb_rel_ci]).
    Time Difference in Minutes The minutes between which the primary and secondary event must occur in order to match this rule.
    Note: The value for this entry cannot exceed 1440 minutes (one day).
    Script Custom script that you can modify to return a JSON string that specifies the primary and secondary alerts. Select Advanced to display this field. The currentAlert is a GlideRecord of the alert that was opened/reopened and matched the filter. The return JSON can have both primary and secondary arrays. In the following example script, the current alert is saved as secondary alert to all other alerts in the Alerts table.
    (function findCorrelatedAlerts(currentAlert) {
       var res = {
          'PRIMARY': []
       };
       var gr = new GlideRecord('em_alert');
       gr.addQuery('message_key', '!=', currentAlert.getValue('message_key'));
       gr.query();
       while (gr.next()) {
          res['PRIMARY'].push(gr.getUniqueValue());
       }
       return JSON.stringify(res);
    })(currentAlert);
    
    Figure 1. An example alert correlation rule filter
    Alert correlation rule filter
    If you delete a correlation rule, the existing correlation groupings on the alert console are not removed.