Create anomaly alert promotion rule

Anomaly alerts are generated by Operational Intelligence to indicate deviation from projected metric values for monitored CIs. You can create an anomaly alert promotion rule to generate a regular Event Management alert that is based on an anomaly alert.

Before you begin

Role required: evt_mgmt_admin

About this task

Anomaly alerts are separate from regular Event Management alerts and they do not appear in the Alert Console. However, anomaly alerts that were promoted to regular alerts do appear in the Alert Console.

You can create an anomaly alert promotion rule blacklist to exclude the promotion of alerts for specific CIs that would otherwise be promoted by an anomaly alert promotion rule.

Procedure

  1. Navigate to Operational Intelligence > Anomaly Alerts.
  2. Right-click an alert in the Alert Anomalies list and select Promote Anomaly Alert.
  3. Fill in the fields on the Alert promotion rule form.
    Field Description
    Name Descriptive name for the anomaly alert promotion rule.
    Promotion type A filter that defines the scope of anomaly alerts for which the rule applies to. Filtering anomaly alerts can be based on:
    • Metric name: The value of Source_metric_type in the Additional_info field in the anomaly alert.
    • CI type: Type of the configuration item in the alert.
    • Configuration item: Configuration item in the alert.
    • Promotion parameter: In Additional Info of the anomaly alert, use the field specified in Field name for anomaly promotion in the Metric Registration table.
    Source Data source that is monitoring the metric type.
    Metric name The raw metric to filter anomaly alerts by. This field appears only when Promotion type is set to Metric name.
    CI type The CI type to filter anomaly alerts by. This field appears only when Promotion type is set to CI type.
    Configuration item The configuration item to filter anomaly alerts by. This field appears only when Promotion type is set to Configuration item.
    Regular expression for the promotion parameter field The regex applicable for the specified source, to filter anomaly alerts by. This field appears only when Promotion type is set to Promotion parameter.
    Alert The anomaly alert which was used to initiate the creation of this rule.
    Active Select to enable the rule.
    Minimal score A threshold value between 0-10 that the anomaly score of an anomaly alert must be equal to or greater than, for the anomaly alert to be promoted.

    The Additional information field in an anomaly alert form contains the alert's anomaly_score value.

  4. Click Submit.

Result

After the anomaly alert promotion rule runs for an event that matches the rule criteria, a new Event Management alert is created that appears in the Event Management dashboard. Also, the anomaly alert that the new Event Management alert is based on, is updated with details about the promotion. To examine these details:
  1. Navigate to Operational Intelligence > Anomaly Alerts.
  2. Double-click an alert that has been promoted.
    • Click Processing Notes to display processing details.
    • Click History to display details about the alert promotion.

What to do next

Add a blacklist item to prevent the creation of a new Event Management alert that would otherwise be created by an anomaly alert promotion rule. Right-click an anomaly alert and select Blacklist CI.