Drop action
Available for event and alert workflows |
The Drop action is useful when you want to drop all events or alerts that pass a certain filter. For example, you might want to drop all events associated with an audit service or that get generated during a scheduled maintenance window.
The Drop action prevents any additional processing of the event or alert by other features in the system. Dropped events are not deduplicated and do not become alerts, and dropped alerts are not correlated into incidents. You can continue to view dropped alerts on the Alerts page, however.
The standard practice is to place this action after a filter in the Workflow trigger or an action such as Time Filter Action.
This action has no inputs.
Event example
You can use a Drop action to prevent certain events from becoming alerts. In this example, the Drop action is used to drop all events containing streaming
as the service from the video1.uitex.com
system. Events with other service information move are deduplicated into alerts.
Configure the workflow trigger with a filter that includes the name of the system and looks for the "streaming" service in the list of services:
service in (streaming) AND source = video1.uitex.com
Add the Drop action to the workflow.
All events received which match the trigger filter criteria are dropped. Events from video1.uitex.com which do not contain "streaming" in the services list are retained.
Alert example
You can use a Drop action to exclude certain types of alerts from further processing. In this example, the Drop action is used to drop all alerts originating in the metric host_cgroup_memory_current_bytes. Here, we want to see the alerts, but we don't want to correlate them into incidents. The following workflow drops the alert after the deduplication step but before alerts are correlated into an incident.
Configure the workflow trigger:
Select New alerts only, since we are only interested in evaluating newly created alerts.
Add the following filter:
check = host_cgroup_memory_current_bytes
Add the Drop action to the workflow.
The alert is dropped after deduplication, but prior to correlation. We can continue to view the alerts generated by the metric host_cgroup_memory_current_bytes, but no incidents are created by it.