AdvisorAdvisor3 minutes ago, Stuart Weenig said:Yeah, it can be done, but the logic has to be built in somewhere.
Just to make sure I understand the ask: you have an event source that catches, for example, 20 different events. You want alerts on 19 of those events any time they happen. On the 20th event, you want alerts all the time, except from 2-2:30am daily.
So, you want to turn off the EventSource, but only for one event within all the events caught by that ES, and you only want to SDT it during a certain time of the day.
So, you can't build this on the EventSource level, otherwise, you'd ignore all 20 event types during that time. You can't just ignore that one event because if it occurs outside that time, you want it to generate an alert.
Your only option is to ignore it in the fetching of alerts. If the ES is not Groovy based, it will need to be converted to Groovy in order to build the logic into the script to ignore that one event during that one time window.
What if you split out that one event from the 19 other events and had 2 ESs? That would be better than 20 ESs, but would allow you to leave most of the stuff handled normally. Then you'd have just the one ES to handle that one event and you could build logic into it to ignore the event during that daily timeframe.
Your logic is exactly what we want. To sum, exclude just one event (for a certain period only) & don't affect the others on the same ES.
We could do that (creating 1 ES just for that event), however, this is something that we do really often (for our diverse clients). That's not an optimal solution for us in terms of monitoring management, otherwise, we'll need to be creating separate ES all the time (whenever a client requests it for a certain event - which happens often).
We actually can do this in our Alert Console (since our LM is sending all the alarms to our SNOW instance), however, it would be easier & standard if we could do this in LM.
Should this be a feature request perhaps?
Regards,
