Incident management allows administrators to create rulesets that look at incoming alarms and select a course of action (send an alert, bundle with other alarms, etc.) on how the resulting incident is to be created.
Incident management rules are managed on the Incident Criteria Administration pages (Administration → Alerts → Incident Management). Only users with SuperAdmin privileges may add incident management rules.
These rules can use compound conditional statements to cover a variety of circumstances. When an incoming alarm is examined, the rule can compare against the listed parameters from the following three categories to decide on its actions:
- Strategic group
- Create Time
- Threshold check
- Service check
- Host check
- Configuration change
- Time frame
- Any configured time frame
Many of the above parameters can be checked to see if it is or is not a supplied value (often can be a regular expression). Each rule functions as a basic sequence of IF/ELSE statements. IF the results of any of the sets of conditional statements evaluate to true, the rule can take one of the four following actions (AND conditional statements can be added to the rule to narrow down to the specific desired circumstances):
- Create a new incident and send a configured alert
- Create a new incident and send a custom alert
- Continue on to the correlation section of this rule
- Go to the next rule
ELSE, if the conditions evaluate to false, the rule can take an alternate action (also from the list above). Additional ELSE IF conditional statements can be added to provide more complex flow control. If you select the “Continue on to the correlation section of this rule” option, the incoming alarm will be correlated with another alarm (meaning that no alert notifications will be sent for it).
If you select the “Create a new incident and send a custom alert” option, you will then be able to select a custom alert template (or, any of the stock alert templates) to use for sending an alert notification. This option should probably only be used to respond to specific circumstances, however, because using it forces you to select only a single action group that will override all action groups that may have been selected in the alarm configuration of the alarm source. This means that only contacts in the action group selected in the rule will receive alerts from the opened incident.
Incident management rules are evaluated in the order in which they are listed on the Incident Criteria Admin page.
One very good use of incident management rules is to allow an ostensibly unrelated alarm to be correlated with another alarm (and bundled into that alarm’s incident). This provides a way to condense multiple alarms (and thus alerts) that are related only according to your particular organizational system.