Set a threshold to suppress alert generation

You can configure an event rule to suppress alert generation according to a threshold based on the value of event fields or number of occurrences, over a period of time.

Before you begin

Role required: evt_mgmt_admin, evt_mgmt_operator

About this task

Configure the properties in an event rule to suppress alert generation, create alerts, or close existing alerts according to the specified threshold.
Note: Field Name can be the name of any numeric field in the Additional information field of the event. Therefore, if cpu is an additional information field for a specific event, then cpu can be used as a Field Name.
Assume that you want to generate an alert when CPU utilization reaches or exceeds 80% where there is a period of 20 seconds between events. Create an event rule with these settings (an explanation for each value is given in parenthesis):
  • Create Alert Operator: = > (operator to determine whether utilization of Field Name reaches or exceeds the specified value)
  • Field Name: cpu (events regarding high CPU usage)
  • Threshold Value: 80 (percent)
  • Occurs: 3 (three events occur where the cpu usage is equal to or above "=>" 80%)
  • Over(Seconds): 20 (over 20 seconds between each event)
To demonstrate how the above settings are evaluated, assume that the following events are received:
First scenario
Reported elapsed time and the cpu usage for each event:
  • First event elapse time 20, cpu=85
  • Second event elapse time 40, cpu=80
  • Third event elapse time 60, cpu=70

In this scenario, no alert is generated since one event has a CPU utilization that is under 80%.

Second scenario
Reported elapsed time and the cpu usage for each event:
  • First event elapse time 20, cpu=85
  • Second event elapse time 40, cpu=90
  • Third event elapse time 70, cpu=95

In this scenario, an alert is not generated since the elapsed time in one event is over the specified 20 seconds.

Third scenario
Reported elapsed time and the cpu usage for each event:
  • First event elapse time 20, cpu=85
  • Second event elapse time 40, cpu=95
  • Third event elapse time 60, cpu=90

In this scenario, an alert is generated since in all events the elapsed time is within the specified time and the cpu usage is over 80%.

Note: When configuring an event rule to create or close alerts according to a threshold, events that arrive at the same second, as determined by the time_of_event field, are skipped. This is because they are considered to be duplicates.

Procedure

  1. Navigate to Event Management > Rules > Event Rules.
  2. Create or open an event rule.
  3. Click Threshold.
  4. Select Active. If Active is not selected, the fields in this screen are read-only.
  5. In the Create Alert Operator field, select an operator.
    • If you select Count, specify the corresponding Occurs and Over(Seconds) fields.
    • If you select any operator other than Count, the Threshold Metric and Value fields appear. Specify the required values in these fields.
      Note: The value of the Threshold Value property can be the name of any field in the Additional information of the event. For example, if cpu is a field in Additional information for a specific event, then cpu can be used as the Threshold Value.
    • In the Occurs field, specify the required value.
    • In the Over(Seconds) field, specify the required period.
  6. To automatically close alerts, in the Close Alert Operator field, select an operator. Extra fields appear according to your selection.
    • If Count is specified as the operator for the Create Alert Operator field, then the selection in the Close Alert Operator field is either None or Idle. Specify the required value.
    • If you select Idle, then configure the Over(Seconds) field.
    • In the Close Alert Operator field, if you select an operator other than Idle, then configure the Value, Occurs, and Over(Seconds) fields.
  7. Click Save or Submit.
    Note: When configuring an event rule to create or close alerts according to a threshold, events that arrive at the same second are skipped. This is because they are considered to be duplicates. Use the time_of_event field to determine which events arrive at the same second.
To create an alert when a specific event occurs 5 times in 10 minutes, in Threshold:
  1. In the Threshold Metric field, specify the name of any field that exists in the Additional information field in the event. The value of the field is irrelevant.
  2. In the Create Alert Operator field, select Count.
  3. In the Occurs field, specify 5.
  4. In the Over field, 600 (10 * 60 seconds).
  5. Click Save or Submit.

To create an alert when a specific event occurs 5 times in 10 minutes with a metric value greater than 55. Assume that “metric_value” is a field in the Additional information of the event. Specify:

  1. Select the Active check box.
  2. In the Create Alert Operator field, select >=.
  3. In the Threshold Metric field, specify metric_value.
  4. In the Value field, specify 55.
  5. In the Occurs field, specify 5.
  6. In the Over field, specify 600 (10 * 60 seconds).
  7. Click Save or Submit.