Using conditional alerting to prevent false alerts

This article will present another approach to alerting and actions by utilizing Conditional Alerts to execute actions in very specific conditions.

Conditional Alerts is a more advanced alerting feature, which can be used to adjust alerting escalation scripts to be more precise.

For more information about Conditional Alerting visit this Article located in the NetCrunch documentation.

Scenario

Almost all devices can send syslogs which inform you about their current status, problems etc. Sometimes a single alert might be about a temporary peak only. For example, utilization of the device's CPU is too high for a small amount of time, but after a short while, it goes back to normal. To avoid a flood of these kinds of "fake" alert notifications, NetCrunch can execute alerting actions only if a specific condition set is met. For the purpose of this article, the condition "if the event happens more than" will be used.

Creating a New Alerting Rule based on trap

The simplest way to create an Alerting Rule based on a trap is to use External Events (Available only in XE version)

To do that:

Open the External Events tab and switch to Syslog Messages.
Find the syslog which indicates High CPU Usage on your device and click on Set alert on the left.
Assign a name for the alert and make sure that configuration of alerting is correct.
Click on the drop-down menu under "Trigger Alerting Action On".
Select condition: Event Happened more than and set the requested value. For the purpose of this article, we will set 2 times in 5 minutes.
Save your selection by clicking "OK".
Create or select an escalation script and save.