Creating Incidents On Non-symptom Events

You can leverage Incident Manager's Root Cause Analysis (RCA) capability by creating rule sets that generate incidents for non-symptom, target down events. For monitoring situations where a high number of symptom target down events are generated, but only a few non-symptom target down events, you can create/modify a rule set that generates incidents and send notifications only for non-symptom events.

To create a rule set that generates incidents for this monitoring condition, you need to create two event rules (one for each of the RCA filters):

  • Event Rule 1: Generate incidents for all relevant events, but take no further action (no notification or ticket creation). The event is marked as a cause.

  • Event Rule 2: Generate incidents for non-symptom events only and also send notifications and create tickets. The event is not a cause and not a symptom.

To create the event rules to handle non-symptom target down events, navigate to the Incident Rules - All Enterprise Rules page (Setup—>Incidents—>Incident Rules). From here, you can create a new rule set (click Create Rule Set…) or edit an existing rule set (click Edit…).

To create a rule that generates incidents for all relevant events:

  1. From the Rules region of the Create Rule Set/Edit Rule Set page, click Create ... The Select Type of Rule to Create dialog appears.

  2. Select Incoming events and updates to events.

    select type of rule to create
  3. Click Continue. The Create New Rule: Select Events dialog displays. Select Target Availability.
    incident RCA create rule
  4. In the Advanced Selection Options region, choose Causal analysis update. Three causal event options display:

    • Event is marked as cause: A target down is considered a cause if other targets depending on it are down.

    • Event is marked as a symptom: A target down is considered a symptom if a target it depends on is also down.

    • Event is not a cause and not a symptom: A target down is neither a cause or symptom.

      Note:

      Note: By selecting an option, you filter out extraneous target down events and focus on those target availability events that pertain to targets with interdependencies.

  5. Select event is marked as a cause and click Next.

  6. On the Create New Rule : Add Actions page, click Add. The Add Conditional Actions page displays.

  7. In the Create Incident or Update Incident region, choose Create Incident (if not associated with one) and click Continue.

  8. Complete the remaining Create Rule Set wizard pages to return to the Create Rule Set/Edit Rule Set page.

    Next, you need to create a rule that generates incidents for non-symptom events only and also send notifications.

  9. Repeat steps 1-4.

  10. Select event is not a cause and not a symptom and click Next.

  11. On the Create New Rule: Add Actions page, click Add. The Add Conditional Actions page displays.

  12. In the Create Incident or Update Incident region, choose Create Incident (if not associated with one).

  13. In the Send Notifications region, complete the requisite notification details and click Continue. The Edit Rule Set page displays with the newly defined action listed in the table.

  14. Complete the remaining Create Rule Set wizard pages to return to the Create Rule Set/Edit Rule Set page. At this point, the two RCA event rules will have been added to the rule set.

  15. Click Save to save the changes to the rule set.