Alert in Incident action
Available for alert workflows |
This action checks if an alert is included in an incident.
The Alert in Incident action takes no inputs. The alert triggering the workflow is checked for inclusion in an incident. If it is included in an incident, you can choose one of two exit options:
Skip to the next workflow
This option stops processing the alert by the current workflow and sends it to the next workflow (if any).
Stop processing
This option stops further processing of the alert by the current and all subsequent workflows.
The Alert in Incident action allows you to continue processing an alert with the current workflow if it is not already in an incident, while alerts that are already correlated into incidents can either move to the next workflow or exit out of workflow processing. Note that workflows process alerts prior to correlation, so all newly created alerts are uncorrelated and will evaluate to false
for this action. Restrict the alerts evaluated by this action to the specific type you intend to process by using workflow trigger settings.
Alert example
One way to use the Alert in Incident action is to delay correlation of new alerts. Because correlation does not start until after workflows finish, including a Delay action in the workflow can prevent alerts not yet in incidents from correlating immediately.
Create a new alert workflow and select the New alerts only option for the trigger.
You can also add a trigger filter if there are other alert attributes you want to consider. For example, if you prefer to delay only the alerts sent from one particular system, you can add a
source
filter to limit workflow processing to alerts from that system.Click Add Action and select the Alert in Incident action.
Select the Skip to the next workflow Exit Option.
This option allows any remaining workflows to process the alerts that are already in incidents.
Click Add Action and select the Delay action.
Configure the necessary amount of time to delay the alert.
Save and enable the workflow.
In this example, alerts which are not yet correlated into incidents are delayed for a configured period of time. You can delay correlation if a particular system creates occasional false alarms and you want to avoid creating incidents for them until the configured length of time passes. You can configure the delay for the amount of time necessary to receive a Clear event if the initial alert was erroneous.