0 Replies Latest reply on Mar 11, 2013 11:26 AM by Dave Alger

    Best Practices for Email Alert Sources

    Dave Alger

      Alert Central attempts to solve a fairly difficult problem of being able to ignore email alerts that are not alarming to your company while routing email alerts to the appropriate person(s) that are alarming to your company.

      The approach taken by Alert Central to solve this problem was to provide a very powerful rule builder / email parsing engine so that we as a community have the tools to solve it together.


      As one of the core developers on Alert Central, I plan to offer some more technical information (such as Best Practice documents) that should help us all get off on the right foot.


      Here are a few pointers to help get you started with Creating New Email Alert Sources:


      • Order Matters - Email Alert Sources are processed in the order they are listed on the "Configure Email Alert Sources" settings page.  This processing order can be used to your advantage.  Here's one simple example:  if you know that 80% of your alerts are going to be sent from commvaultsystem@yourhost.com then configure an email source at the top of the list called "CommVault" to match on that From address and then route those first.  Otherwise you could run into a situation where most of your alert emails are trying to be matched to all the other sources in the list and failing until they finally get to the bottom of the list and match the "CommVault" source.  Ideally you would want most of your alert emails to match the first source in the list, the second most common alert to match the second source in the list, etc.
      • Match First / Route Later - As a general rule of thumb use the fewest number of matching rules possible that are needed to accurately identify an email.  A single matching rule should get the job done in most cases. (i.e. if the From address ismycommvault@myserver.com then you can safely identify it / match it to your CommVault Alert Source).  Complex group routing rules can also be configured which are also processed in order from top to bottom so your first group routing rule should try and match the majority of the alerts from this source, the second routing rule should match the second most likely alert, etc.
      • Email Alert Sources can be exported - If you come up with a really efficient regex that can be used to identify an email as being from a certain alerting system then it can be exported as an XML file and shared with other Alert Central users who are also trying to figure out the best / most efficient "matching rule" to use in determining that an email is from SCOM or AV or CommVault etc.
      • Email Alert Sources can be imported - If you have a similar set of group routing rules that you would like to share across all your alert sources then after you get one alert source working and tested in your environment you can export it and then re-import it multiple times and then only make the minor modifications you need.  If someone in the community figures out a really efficient way to identify an email as being from a certain system they could share it and you could import it (and then tweak the routing rules to match your environment).
      • Share Your Knowledge - I find that sometimes teaching others is the best way to learn.  Alert Central is attempting to "tame the beast" by being able to look at any alert email from any system and determine how important it is to you.  I think a large part of its success lies with the community.  I'm glad that SolarWinds is giving away Alert Central for free because it almost guarantees our success in taming that crazy world of email alerts out there and by pooling our Thwack knowledge we will prevail!!


      Keep those questions coming and may the force be with you