Auto-Close policies allow you to change the default behavior of APEX AIOps Incident Management Auto-Close.
Auto-Close policies let you:
Automatically close incidents and alerts based on field values and duration.
Configure multiple policies based on alert or incident field values and use different rules per source system, location, or other identifying value.
Identify the alerts and incidents which Auto-Close Policies should never close.
See Auto-Close Policies overview or Manage Auto-Close filters and policies for more details.
All instances start out with two policies called Default Policy: one for alerts, one for incidents. You can edit or delete the default policies, although the Incident and Alert tabs must each include a minimum of one policy.
The default policies close alerts and incidents according to the following rules:
Changes the alert status to Closed from any state after 72 hours.
Changes the alert status to Closed 30 minutes after it is set to Resolved.
Changes the incident status to Closed 60 minutes after it is set to Resolved, or when all alerts in that incident are closed (effectively resolving it).
Changes the incident status from any state to Closed after 7 days.
Auto-Close inspection services run five minutes for alerts and every minute for incidents. They first check for any alerts and incidents which match the Never Auto-Close filters. Those that match (should never automatically close) are not processed further by Auto-Close policies.
The remaining alerts and incidents are then compared with Auto-Close policies. Those which match one or more policy scopes are then checked for a duration which matches or exceeds the allowed duration in the policy. Any matching items are then handled in accordance with the associated policy. The policies with the shortest configured duration are compared first.
A second pass checks for items matching the total time defined in policies. Like duration, the policies with the shortest total time are compared first, and matching items are handled accordingly.
Because Auto-Close examines how long items have been resolved before automatically closing them, it is helpful to understand how the total time spent resolved is calculated when creating policies.
Whenever the status or severity of an incident or alert is changed, Incident Management stores the time the change occurred (in last_state_change for incidents and in last_status_change_time for alerts).
To determine if an incident qualifies to be resolved automatically, Incident Management checks to see if an incident matches a policy, and then it checks if the time elapsed since the last_state_change is less than the configured time. If the value is less than the configured time in the policy, then the incident is not resolved. If it is equal or greater than the specified resolve time, then the incident is resolved.
Alerts are evaluated in the same way as incidents, using last_status_change_time to perform the check instead of last_state_change.
The time when an incident was created is stored in created_at for incidents and in first_event_time for alerts. Incident Management calculates the amount of time which has elapsed since the alert or incident was created, and periodically Auto-Close checks to see if any items matching a policy have exceeded the time in that policy. Alerts and incidents matching the specified duration in an Auto-Close policy are closed.
Alerts and incidents matching a Never Auto-Close filter are never automatically closed by the Auto-Close feature, even when they match an Auto-Close policy.
Auto-Close policies examine the length of time since an incident or alert was created or last updated, so the order of the policies is irrelevant. All alerts and incidents are periodically compared to the settings in all of the policies. When there is a match, that item is handled according to the policy settings.
If an alert or incident matches two policies simultaneously, then the policy with the shortest duration will close the item. Processing the same group of alerts or incidents with the same values will always result in the same policy addressing the matching item.