Create an alert correlation rule

Create an alert correlation rule to specify a primary alert and a related alert that is of secondary importance.

Before you begin

Role required: evt_mgmt_admin
Note: If you delete an alert correlation rule, the existing correlation groupings on the alert console are not removed.

Procedure

  1. Navigate to Event Management > Rules > Alert Correlation Rules.
  2. Click New.
  3. Fill in the form fields (see table).
  4. Click Submit.
    Field Description
    Name A descriptive name to identify the correlation rule.
    Order The priority for rule evaluation. Rules with lower-order values are given priority. An alert is checked against every alert action rule until a match is found.
    Description A description of the rule.
    Active Select to activate the rule.
    Advanced Select to display the script field. This option enables you to script the event correlations.
    Primary Alert The filter condition to identify the alert that is the primary alert, or most important alert, in a set of related alerts. Configure the filter. See the filter.

    This field does not appear when Advanced is selected.

    Secondary Alert The filter condition to identify the alert that is related to the primary alert but is of lesser importance. Configure the filter. See the filter.

    This field does not appear when Advanced is selected.

    Filter The filter condition to identify the alert on which the script is run.

    Filter is available only when Advanced is selected.

    Relationship Type Specify the type of relationship between the primary and secondary alert:
    • No Relationship: Ignore the relationship when looking for a match.
    • Same CI or Node: Relate both alerts with the same CI. If the CI field is blank, then the alerts must have the same Node value.
    • Primary is Parent: The relationship is in the direction of parent (primary) to child, as described in the CI Relationship Types table [cmdb_rel_ci]).
    • Primary is Child: The relationship is in the opposite direction, child (primary) to parent, as described in the CI Relationships table [cmdb_rel_ci]).

    This field does not appear when Advanced is selected.

    Time Difference in Minutes The minutes between which the primary and secondary event must occur to match this rule.
    Note: The value for this entry cannot exceed 1440 minutes (one day).

    This field does not appear when Advanced is selected.

    Script Custom script that you can modify to return a JSON string that specifies the primary and secondary alerts.

    Select Advanced to display this field.

    (/* The function needs to return a JSON- {correlationType:[correlatedAlerts]}
     for example: if your filter matches the alert, set the alert as the primary alert and set alerts 1, 2 and 3 each as secondary alerts.
     
     You can use both multiple primary alerts and multiple secondary alerts.
     The correlationType can be PRIMARY or SECONDARY, and the alerts ID must be in an array. 
     CurrentAlert is the GlideRecord of the currentAlert on which that rule runs.  
     The system supports only one primary per alert, so: 
       Do not correlate more than one alert under the PRIMARY array. 
       Do not correlate alerts that already has a primary under the SECONDARY array. 
      The system supports open alerts only, so do not correlate alerts that have been closed under either one of the arrays. 
      */
     
     (function findCorrelatedAlerts(currentAlert){
     
           var result = {};   //Insert your code here
           result = {'SECONDARY':['alertID1','alertID2','alertID3']};         
           return JSON.stringify(result);  
     
     })(currentAlert);
    
    Relationship Description of the relationship between primary and secondary, for example, Allocated from::Allocated to or Allocated to::Allocated from.

    This field displays only if either Primary is Parent or Primary is Child is selected for the Relationship Type.

    Relationship

    This field does not appear when Advanced is selected.
    Figure 1. An example alert correlation rule filter
    Alert correlation rule filter