Alerting rules evaluation

The scope of an alerting profile is defined by

  • The management zone.
  • Severity rules.
  • Event filters.

These conditions are combined by the AND logic. An event must fulfill all conditions to trigger a notification based on the profile.

Management zone

The management zone filter reduces the amount of data the alerting profile evaluates. Instead of checking all the data your environment generates, you can focus on just the parts coming from the specified management zone.

By default a new alerting profile uses All management zones, which means that no filter is applied. In most cases you should apply the management zone filter to reduce the profile scope to the scope of your teams' responsibility. Keep in mind that management zones can overlap. If a problem is detected on a service that is defined within multiple management zones, multiple filters will be applied.

Severity rules

Severity rules filter events based on their severity level. For each alerting profile, you can specify up to 20 severity rules. These rules are combined by the OR logic. An event fulfilling any of the rules to triggers a notification based on the profile.

You can use the following criteria:

  • Severity level.
  • How long the problem is open before an alert is sent out—this enables you to avoid alerts for low-severity problems that don't affect customer experience and therefore don't require immediate attention.
  • Optional Monitoring entities that have any or all of the specified tags

Rule criteria are combined by the AND logic. All of them must be fulfilled for the rule to be invoked.

Event filters

Event rules filter events based on their properties. For each alerting profile, you can specify up to 20 event rules. Particularly for auto-remediation use cases, it’s helpful to trigger specific actions based on detailed information that’s captured during abnormal situations, for example, triggering alerts in cases where problems are related to process crashes.

You can use the following criteria:

  • Predefined events Event type
  • Custom events Title and description of the event

Each of criteria can be inverted by using the negate option. For example, it turns the begins with criterion into does not begin with.

The rules are combined by the following logic:

  1. All rules that contain negated criteria are grouped by the AND logic.
  2. All other rules are grouped by the OR logic.
  3. These two groups (negated and non-negated) are grouped by the AND logic.

Event filter grouping