Please help me with alert keys

questions
deduplication

(Graeme Wilkinson) #1

I have the following alert to create an “Incident”:
Subject "SERVICE MANAGEMENT DEVICE DOWN"
Body “Critical 10/10/2017 15:17:03 GW-TEST-MPLS-01 Device Down”

and I want a similar alert to auto resolve the “Incident”:
Subject "SERVICE MANAGEMENT DEVICE RESPONDING"
Body “Normal 10/10/2017 15:18:18 GW-TEST-MPLS-01 Device Responding to Poll”

I’ve tried the following trigger and resolve…

But it doesn’t work. Both alerts create a separate “incident”.

I’ve had success with other services, but they have the key in the subject line, which I’m unable to change for this service.
This is also the first service where I am trying to use a key between two text strings.

I’m a novice with Regular Expressions, so would appreciate any help.
Thanks


(Ashley Brooks) #2

Thanks for reaching out! There could be a few things causing this issue:

  1. Without looking at your event data, the regular expressions look okay, but you’ll need to specify that you’re using a regular expression. You can do this by changing contains to matches the regular expression in the dropdown menu of each email management rule as well as the Alert Key rules.

  2. At the very end of these email management rules in the screenshot, there should be an option that says If an email does not match any of the rules above. Is it currently set to create a generic incident? If so, you might want to change that to Discard it so any events that do not match the rules will not create new incidents.

I hope that helps! Let me know if you have any other questions or trouble setting up your email integration.


(Graeme Wilkinson) #3

Thanks Ashley - when I try “matches the regular expression” option as suggested, I now have just the one field, so not sure what I need.
I’m struggling with the Body of the alert:
The trigger will be
Critical 10/10/2017 15:17:03 GW-TEST-MPLS-01 Device Down
and the resolution will be
Normal 10/10/2017 15:18:18 GW-TEST-MPLS-01 Device Responding to Poll #

the Bold text being the alert key that I need - my confusion is around how to match the alert key, but to ignore that the date and time will be different.


(system) #4