eventsource uniqueness
As it stands, eventsources are impossible to use with alert policies because a single real-life event generates an unending stream of new alerts. You can ACK one, but it doesn't matter since the next one is a different ID. We need to have a way to map ongoing conditions into existing alerts, preferably with a counter of some sort to show how many of them have been registered. An example of why this is a problem is the (unpublished but documented) Cisco_Interface_ErrDisabled eventsource. It is necessary to make it an event source as there is really no other way to get this information from Cisco switches. But if a port is disabled, and you want to hear about it, you will get a new alert (and clear) repeatedly with no way to stop the alerts, except to fix the problem. Fixing is of course the best result, but it is not always possible to do quickly. We have found similar problems trying to push eventsource alerts into a ticketing system. Since each has a new ID, each is a new ticket.
Thanks,
Mark