This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Event log monitoring - suppress multiple occurrences

In my environment we have Windows event log monitoring in place for disk timeout events (warning ID 153).

We also have automation in place that creates an incident ticket when an alert is generated (script event action).

Challenge: usually when one disk timeout event occurs we get a lot of them (repeated occurrences of the same event).

In this scenario we want only one alert/ticket created, not a whole bunch of them.

Looking for any thoughts on the best way to suppress multiple occurrences of alerting / alert actions for the same event ID.

Thanks.

Parents
  • I think I may have answered my own question.  After discussing with team members and some research, answer looks like the following:

    • windows event log monitor (component) parses the event log looking for entries that match the configured criteria
    • when the component finds matching data, the component goes into critical status (if configured for statistic > 0)
    • the state change event triggers an alert.  By default the alert will reset when the underlying condition is no longer true.
    • in the scenario with multiple, regular disk timeout alerts the component monitor will never go back to 'green', meaning that the alert will never reset
    • as long as the original alert never resets, no new alert will be generated for the same condition.

    Anyone from the community feel free to question or comment - let me know if I'm on the right track.

Reply
  • I think I may have answered my own question.  After discussing with team members and some research, answer looks like the following:

    • windows event log monitor (component) parses the event log looking for entries that match the configured criteria
    • when the component finds matching data, the component goes into critical status (if configured for statistic > 0)
    • the state change event triggers an alert.  By default the alert will reset when the underlying condition is no longer true.
    • in the scenario with multiple, regular disk timeout alerts the component monitor will never go back to 'green', meaning that the alert will never reset
    • as long as the original alert never resets, no new alert will be generated for the same condition.

    Anyone from the community feel free to question or comment - let me know if I'm on the right track.

Children
No Data