CMDB alert groups

Event Management alert aggregation and root cause analysis (RCA) groups alerts by using different methods of correlation. For CIs without historical data, alerts are correlated based on those CIs relationships in the CMDB. CMDB alert groups are displayed in the Alert Console and in the Event Management dashboard.

To correlate alerts into groups, alert aggregation and RCA learns from historical alert data, and then forms alert patterns. Alert aggregation and RCA then attempts to match new alerts with these patterns to correlate alerts and create alert groups. However, in some situations such as with a new implementation, or with a new set of CIs, there is no historical data to learn from. In these situations, alert aggregation and RCA can automatically correlate alerts based on CI relationships. This correlation is based on hosting rules, containment rules, and suggested relationships. For example, the alerts for the CIs in the following relationships can be correlated into a CMDB alert group:
  • A server hosting a computer
  • Processes that are running on a specific server
Note: The hosting and containment relationships that are used for CMDB-based grouping are used only if the number of connections between the CIs is small. If two CIs are related through many connections, the connection is considered to be too weak for CMDB-based grouping.

RCA for CMDB alert groups

If the Enable CMDB Correlation for Alert Aggregation property is set to true and CMDB alert groups are forming, then alert aggregation and RCA applies RCA to identify a root cause alert within the CMDB alert group. Identified root cause alerts are then displayed with a star, in the Group Timeline view in the Alert Console. If a root cause alert is identified for a CMDB alert group, then that alert is designated as the primary alert of the group.

Properties associated with CMDB alert groups

  • The Enable CMDB Correlation for Alert Aggregation (sa_analytics.agg.query_cmdb_correlation_enabled) property must be enabled to allow alert aggregation and RCA to automatically use CI relationships to correlate alerts and form CMDB alert groups.
  • If the Enable Suggested Relations for CMDB Correlation (sa_analytics.agg.query_cmdb_suggested_relationship_enabled) property is enabled, then any suggested relationships defined in the system, are used when forming CMDB alert groups.
  • The CMDB Groups: Relationship level (sa_analytics.agg.query_cmdb_graph_walk_nodes) property sets the number of levels to use for dot-walking. This setting impacts the application of CMDB hosting rules, containment rules, and endpoints to CMDB group formation during alert aggregation.