Alert Suppression, Event Escalation, Event Deduplication
Understanding how Alert Suppression, Event Escalation,
and Event Deduplication work together can give you the tools to have fine grained control over your alerting
When a monitor first detects a problem, it consults with its Alert Suppression rules to determine whether the monitor should go into Alert state or not. So this
is the first filter in the alert path. If the alert is suppressed, the monitor is not in Alert state and no further alerting is considered.
Action List - Event Escalation
If a monitor is in Alert state at the end of it's check, it consults it's list of actions that might contain a list of Event Escalation alerts. This step is where the set
of actions to run is determined. Event Escalation can be enabled and configured on a monitor-by-monitor basis.
There are two kinds of Event Deduplication -- Simple and Advanced. Below we'll discuss Advanced, as Simple doesn't have any affect on actions that are run.
After getting a list of possible actions to fire during the Event Escalation step, the alert is check to see if it is a 'new' alert. If it is new, the actions are fired
as normal. But, if the event is not 'new', that means it's a duplicate. 'New' and 'duplicate' are determined by looking at fields in the event.
If an event is a duplicate:
- By default, actions are not fired on duplicate events
- You can indicate actions should continue to be fired, until the alert is acknowledged.