When an alert comes into alert central it will have the triggered state with a red-exclamation mark. Once it is assigned to a group, the workflow starts executing for the alert. When a user is notified via their user notification preference, the alert moves to the yellow notified state. When a user acknowledges or assigns the alert to someone else, the alert moves into the blue acknowledged state. When the workflow ends and the alert has not been acknowledged, the last step can be to either auto-assign or auto-close the alert.
Most of the time the alert will move to the notified state almost immediately after it comes into alert central, but if it does not match an alert source, it will remain in the red triggered state.
In order for an alert to transition into the notified state, an email notification must be successfully sent to a user. Notification preferences that have not yet been validated by replying to the validation email will be skipped, and will not receive an alert notification attempt.
This is a really good question.
Byron, I see lots of people running into the scenario you describe where after everything is configured the dashboard always shows everything as Acknowledged (or Closed and not appearing on the dashboard)
This is because the Group Escalation Policy by default only waits 5 minutes before escalating to the next step. I think most people trying out Alert Central use the defaults (that's what I would do too) so as email and orion alerts come into the system they are getting automatically acknowledged or closed after 5 minutes.
Most groups should probably have at least an hour to respond to an email notification. They can always reply with "REF" to refuse the alert to make it escalate before the hour is up and it automatically goes to the next step.
High Priority alerts can always be sent to a special group where the policy is to escalate sooner and to repeat the notifications until someone responds...
I think we owe the Alert Central early adopters a good technical article going over the details of how Group Escalation works along with the history and life cycle of an Email and Orion alert.
It looks like when an alert is assigned to a group it automatically acknowledges it or closes it as those are your only options.... or am I missing something here?
Based on my previous comment, I don't see how it is possible for an alert to end up in the Notified status. If you route it to a group then the group will acknowledge it. I don't see how one would configure it in such a way to leave an alert in Notified status.
In thinking about this some more it seems to me it would make more sense to have the group set it in Notified status and only users should be allowed to Acknowledge an alert. Having an alert in Acknowledged status suggests somebody (a person) has actually taken responsibility for that alert.
This is exactly how it works. Routing to a group is how AC knows which set of escalation steps to follow in notifying a user of the problem so that they can acknowledge that they are working on it or refuse to acknowledge it so that it can go to the next escalation step.
There is an escalation step that notifies everyone in the group (first to acknowledge wins), there is a type of escalation step which notifies a specific member in the group. There is one that looks at a specified calendar and notifies the member or members on-call at the time the alert comes in. Admins can set up as many of these steps as they want along with a number of minutes to wait between each step.
As long as notification steps are being processed then the alert remains in the Notified state until one of the notified users acknowledges it.
The problem is we only notify people for 5 minutes by default before doing the fall through action at the bottom of the group edit page.
so the short answer is edit each one of your groups and change the value from waiting 5 minutes to 240 minutes (4 hours) and you should see alerts in the notified state (until the notified user acks it or 4 hours pass)
I know that was a lot of info but I hope it helped clear things up for someone out there...
I see what you are saying. Before I didn't have an Escalation Policy configured in the group so it was automatically hitting the fall through action at the bottom of the group.
I guess I would like to contest that having the fall through set the alert to Acknowledged is a bad policy as it implies somebody has taken responsibility for the alert when this is not the case. I think that the Acknowledged status should only be initiated by a user indicating that they are taking responsibility for the alert. I might suggest a new/different status that is reserved for the fall through action; I am thing an exploding symbol with a status of Dropped to indicate that the issue has been dropped due to nobody Acknowledging it.