Probable Root Cause calculates the probability that any individual alert in an incident is the incident's root cause.
Probable Root Cause uses an algorithm and user feedback to build a data model. The data model identifies the likelihood that any individual alert is the root cause of an incident. It assigns each alert a root cause score: High, Medium, or Low, based on the calculated probability that the alert is the root cause. The more user feedback the data model receives, the better its accuracy.
Identifying the most likely root cause of an incident helps to reduce MTTR (Mean Time to Resolve) by allowing teams to focus on resolving—rather than finding—the incident cause. Incidents can contain hundreds of alerts, so narrowing down the potential root cause to a handful of alerts can greatly reduce the time spent investigating alerts. The alerts which are the most likely root causes display prominently with the highest probability, making it possible to narrow down the likely root causes without first evaluating numerous alerts which are symptoms.
Probable Root Cause helps you:
Focus on the most likely cause immediately, reducing the amount of investigation and analysis required to resolve an incident.
Reduce the overall MTTR for your organization by locating and resolving the root cause issue more quickly.
To view the most likely incident root cause, open an incident in the Situation Room. The initial tab, Recommendations, displays a list of the first five alerts with "High" root cause scores (for instances with trained models). Click an individual alert to view further information on it in the Situation Room.
For more information, see Identify the root cause for incidents
 |
When users begin providing alert feedback, Probable Root Cause begins to "learn" which alerts are likely root causes of an incident, and which alerts are likely to be symptoms. Probable Root Cause information for all alerts in an incident displays on the Alerts tab of the Situation Room when you view an incident. The alerts with a root cause score of "High" also display on the Recommendations tab.
Note
If users have not labeled any alerts, then Probable Root Cause cannot provide root cause scores. Alerts display Unknown root cause scores.
User feedback, in the form of alert labels, is key to obtaining meaningful recommendations for incident root causes. Labeling alerts as root causes or symptoms trains the feature to provide more accurate feedback. You do not have to label every alert; however, you should label as many as is reasonably possible, including both symptoms and causes. Labeling only the root cause alerts can result in misleading root cause scores.
You can label an alert as:
Root Cause
Symptom
Be as accurate as possible when providing probable root cause feedback. Conflicting labels can cause the feature to misidentify the root cause of an incident.
Note
Alerts in incidents that have a status other than Closed or Resolved cannot be labeled.
If all alerts have the same system-estimated root cause score, or if the wrong alerts are consistently identified as the root potential cause, the likely issue is that the feature needs further training. Label as many alerts as possible to train the feature, including both symptoms and root causes.
For more information, see Provide root cause feedback.