Skip to main content

Change auto close settings

Watch a concept explainer: Auto Close ►

When data is flowing into Moogsoft Cloud from your configured sources, alerts and incidents will start to accumulate in your Incidents and Alerts views. By default, Moogsoft Cloud prevents old data from obscuring recent data as follows:

  • Sets an alert to Closed from any state after 72 hours.

  • Sets an alert to Closed 30 minutes after it is resolved.

  • Sets an incident to Closed 60 minutes after all alerts in that incident are closed.

  • Sets incidents from any state to Closed after 7 days.

Changing incident and alert status defaults

You can customize the default automatic handling of accumulated alerts and incidents using Auto Close settings.

Important

Note that incidents and alerts are interrelated. Making changes to one alert can affect multiple incidents, just as changing an incident can affect multiple alerts.

To change Auto Close settings:

  1. In the Moogsoft Cloud UI, click Correlate & Automate > Automation.

  2. Click Edit.

  3. In the Incidents section, you can change the following settings:

    • Close resolved incidents that have not been updated for <time>

      This setting changes the status of a resolved incident and all alerts included in that incident to Closed when the incident has had no updates during the specified length of time.

      You can configure this setting for a time range between one minute and seven days.

    • Close any incidents that are older than <time>

      This setting changes the status of open incidents (and the statuses of all alerts included in those incidents) to Closed for incidents present in Moogsoft Cloud longer than the specified time.

      You can configure this setting for a time range between one minute and seven days.

    • Take the following action when closing incidents

      This setting affects the impact to alerts when incidents automatically close. You can choose between two options:

      • Close the incident and all alerts which are not part of any other incident

        This option causes the included alerts to close when an incident automatically closes, but only when they are not included in any other incident. This option prevents accidentally closing alerts in other incidents, which can affect the statuses of those incidents.

      • Close the incident and all alerts it contains, including those that are part of other incidents

        When an incident closes automatically, the included alerts also close, regardless of whether they are part of other incidents or not.

        NOTE: Selecting this option closes alerts even if they are included in other incidents. Use this setting with caution.

  4. In the Alerts section, you can change the following settings:

    • Close resolved alerts that have not been updated for <time>

      Closes alerts with a status of Resolved that have had no updates for the specified length of time.

    • Close any Alerts that are older than <time>

      Closes all alerts older than the specified age.

How last_state_change affects auto close

Whenever the status or severity of an incident or alert is changed, Moogsoft Cloud stores the time of the change inside a variable (last_state_change for incidents, last_status_change_time for alerts).

To determine if an incident should be automatically closed, Moogsoft Cloud constantly checks to see if the time elapsed since the last_state_change is less than the configured time for auto close. If this is true, then the incident is closed. If not, the incident remains open.

This behavior is the same for alerts, except last_status_change_time is used to perform the check instead of last_state_change.