convert alert status to unknown

Question

I have a suggestion to fix an architectural problem within LM related to missing data.&nbsp; Right now, knowing data is missing is very difficult, nearly intractable.&nbsp; In some cases, with enough digging, you can find a DS author chose to set a canary datapoint to warn on no data that has no meaning otherwise, so it can be used in alert rules safely.&nbsp; In most cases this is not true (or if it is, again, indiscernible without code review).

At the same time, LM persists status throughout the lifetime of no data.&nbsp; For example, if a disk hits 99% full then that disk is removed, the datapoint will be in some non-ok status indefinitely, until the instance is purged.&nbsp; My suggestion is that after some time passes (configurable at one or more levels), a datapoint with no data changes its status to unknown (or whatever label you prefer that means that).&nbsp; Then we can write alert rules to care about unknown distinctly, knowing it can be detected on any desired datapoint.&nbsp; If a problem was detected before transition to unknown, it is no longer considered a problem.&nbsp; If the instance starts producing data again and the problem actually persists, then it will re-arm with the correct status.&nbsp; The key problem I see here is that the desired time interval to give up and convert to unknown is probably longer than I might want to allow a no data condition to persist undetected.&nbsp; Given that, it may be better to make unknown a first order condition (parallel to status).&nbsp; I still think status should eventually reset when a long enough time passes without data, just not sure it should be the same timeframe.

mosh · Answer

I agree, this would be a good feature to have.

mnagel · Answer

Any thoughts from LM on when this will happen? We had a case today that was very confusing until you realize what is happening. A switch rebooted due to a power failure and generated a reboot alert. As something was causing the SNMP process on the switch to spike CPU, we ended up disabled SNMP for now. The same reboot alert continues to fire indefinitely until the instance alert is manually disabled. If that alert state had changed from warn to unknown (or stale or whatever you want to call it), we could have avoided sending meaningless alerts on stale information. What is frustrating about this is there is no way short of some API hacks to handle it -- we really need LM to address this problem.

I would really like to see LM respond to all feature requests with at least some ideas on if/when they will be addressed.

Forum Discussion

convert alert status to unknown

Related Content

Convert SMTP uptime to days?

Convert default Alert Report to dashboard?

Monitoring google work space status page

Adjusting Host Status Idle Interval Alert

SQL Server Services Status

Recent Discussions

Dashboard Sharing – An Inline Framing Method

2021-12-15 US Office Hours

Live Training - Tuning Datapoints and Alerts - 15th JUNE 2022 - APAC

Live Training - Introduction to Dashboards - 18th MAY 2022 - APAC

2022-05-11- APAC Product Overview -Collectors, Resources/Groups, Dashboards