This blog aims to provide a detailed explanation of correlation rules.
To know more about alert correlation, click here.
Features of Correlation Rules:
A rule has an ID, name, attribute, time window, status and optionally filters.
- Rule ID: Rule ID is used to uniquely identify and manage the rule within the system.
- Rule Name: A rule name helps in identifying and distinguishing one rule from another. This is also used while the clusters are displayed in the alert list.
- Correlation Attributes: Correlation attributes refer to the basis for correlation. Each rule can maintain a maximum of three attributes.
- Time Window: The time window in the Alert Correlation tool determines the duration between alerts that match the correlation attributes. It allows users to specify a specific time frame, such as 10 minutes, 1 hour etc. during which alerts are considered for correlation. This ensures that only alerts generated within the defined time frame are correlated.
- Rank: The rank feature is used to determine the rule that should be applied in cases where multiple rules can be used for correlation. Rules can be dragged and dropped to change their rank.
- Filter: Filters can be applied to decide whether to include or exclude certain alerts from correlation.
- Active/Inactive Status: Each correlation rule in the Alert Correlation tool can be set to active or inactive status. An active rule is applied to incoming alerts and is correlated with other relevant alerts if the alert matches the defined criteria. On the other hand, an inactive rule is not considered during the correlation process, meaning alerts that meet the criteria of an inactive rule will not be correlated.
- Available Attributes: The Alert Correlation tool offers a wide range of attributes that can be used to define correlation rules. These attributes include Alert Category, Managed Object Type, Monitoring Use Case, Alert Name, Alert Technical Name, MO Name, Customer Name, Data Center, Context Family, Host, and Technical System. Users can leverage these attributes to create customized correlation rules based on their specific requirements.
Here is a guide on what filter values to use :
- Alert Category
Alert Category | ID |
Availability | AVAIL |
Configuration | CONFIGURE |
Exception | EXCEPTION |
Health | HEALTH |
Performance | PERFORM |
Self Monitoring | SELFMON |
- Managed Object Type
Managed Object Type description | ID |
Application Server ABAP | ABAP |
Application Server Java | JAVA |
User Request Group | RUM Group |
Sum Scenario | SUM_SCRIPT |
Sum Location | SUM_ROBOT |
Storage Device | Storage |
Open KPI Sender | RCA_OPEN_K |
Job Monitoring | ABAP_H |
Host (Server) | HOST |
Generic Managed Object type | SCENARIO |
External Service | EXT_SRV |
Database Replication Group | DBCLUSTER |
Database Instance | DBINSTANCE |
Database | DBMS |
Customer Network | NETWORK |
Client | CLIENT |
Technical Component | TECHN_COMP |
Technical Instance | INSTANCE |
Technical System | T_SYSTEM |
Tenant Database Instance | DBTENANT |
Test Manged object type | TEST_MOT |
Unspecified Managed Object | UNSPECIFIC |
- Monitoring use case
You can find the values in the value help available in the rule creation UI.
- Additional alert keys
Additional alert keys are part of alert. You can find it in alert list or in alert detail.
To use as filter, each name-value pair to be delimited by a pipe symbol
Name=PLM_PSM_SH|Type=SAP ABAP Job|Client=002
- Alert Name
You should use complete Alert Name without any wild cards(*).
Example : Critical Execution Status for job detected
- Alert Technical Name
You can locate this in the template maintenance for system monitoring alerts. For other alerts this is not applicable.
- Managed Object Name – as shown in the alert
- Customer Name
You can use the customer name as it appears in the scope selection.
- Data Center
You can use the data center as it appears in the scope selection.
- Context family
Context family name is a concatenation of extended system id and type. Example: AXEWLL (ABAP). You can also wait till the first cluster is formed and use the name from there. Use the managed object type and name in this case.
- Host : Host ID as seen in the alert
- Technical System – Technical System ID as seen in the alert
Examples:
- Rule to correlate alerts from same Host occurring within 60 mins from the first alert will be defined as follows:
Correlation Attributes: Host
Time Window: 60 Mins
Rank: 1
Filter: NA
- To correlate alerts of different Managed Objects based on Alert Type from the same Data Center occurring within 60 mins from the first alert, the rule will be defined as follows
Correlation Attributes: Alert Type, Data Center
Time Window: 60 Mins
Rank: 1
Filter: NA
- To correlate alerts coming from the same family for a duration of 30 minutes.
Correlation Attributes: Context Family
Time Window: 30 Mins
Rank: 1
Filter: NA
- To correlate availability alerts coming from the same family for a duration of 30 minutes.
Correlation Attributes: Context Family
Time Window: 30 Mins
Rank: 1
Filter: Alert Category
Condition : Is
Value : AVAIL
- To correlate availability alerts coming from the same family for a duration of 30 minutes but do not correlate alerts from data center Prio.
Correlation Attributes: Context Family
Time Window: 30 Mins
Rank: 1
Filter: Alert Category
Condition : Is
Value : AVAIL
Filter: Data Center
Condition : Is not
Value : PRIO
In conclusion, understanding correlation rules in SAP Focused Run Alert Management is crucial for efficient and effective alert management. By leveraging correlation rules, users can reduce noise and false positives, prioritize critical alerts, and streamline incident resolution. This can ultimately lead to improved operational efficiency and better overall system performance.
#SAPFocusedRun
- SAP Managed Tags:
1 Comment
| User | Count |
|---|---|
| 14 | |
| 11 | |
| 10 | |
| 10 | |
| 9 | |
| 8 | |
| 7 | |
| 7 | |
| 7 | |
| 7 |
