Probable Root Cause identifies the alerts that are the most likely underlying causes for an incident. When users provide feedback by labeling alerts, APEX AIOps Incident Management learns the patterns that can mean an alert is the root cause. After sufficient training, Incident Management can indicate potential root causes of new incidents.
Users must have Read permission for Alerts and Full Access permission for Incidents to label alerts.
Notes
Even after Probable Root Cause is reliably assigning root cause scores, users should continue to manually label alerts when possible to continue training the model.
The Probable Root Cause feature does not require that every alert receive feedback in order to predict alert root causes. Providing feedback for as many alerts as possible improves the accuracy of future predictions, however, and the Incident Resolution pane for an incident continues to prompt for feedback until all alerts are labeled.
Note
Alert updates are paused while probable root cause labeling is active.
To provide root cause feedback for resolved or closed incidents, do the following:
Select an incident on the Incidents page, then click Situation Room in the lower pane.
In the Situation Room, click the Alerts tab.
The alerts in the incident display. Alert information includes a root cause score column, which displays the incident root cause probability for each alert.
Select an alert in the list.
One of the following sets of options displays:
When no alerts in the instance are labeled, it is not possible to estimate the root cause probability. Alert root cause scores display as Unknown.
When some alerts in the instance are already labeled, an estimated root cause probability is provided for each alert.
If no labeling options display, you are most likely attempting to label an incident that is not resolved or closed. Change the incident status to Resolved or Closed, and you can then label the alerts. The option to label alerts is unavailable for incidents with a status of In Progress or Open.
Categorize the alert using one of these options:
Root Cause
You are confident that the alert is the reason the incident occurred.
Symptom
You are confident that an alert is not the cause and is an issue which occurred as a consequence of the cause.
If you mislabel an alert, be sure to relabel it or remove the label. Mislabeled alerts can result in inaccurate alert root cause estimates.
Repeat steps 3 and 4 for the other alerts in the incident.
NOTE: System-estimated root cause probabilities are not used for model training. If an estimated probability appears to be correct, be sure to also manually label the alert to confirm that the model estimate was right.
When you have finished labeling the alerts, click Save Labels & Finish In the top right corner of the Alerts tab,
Important
Clicking Save Labels & Finish finalizes the alert labels and makes them available to the model for training. If you navigate to another area of the application without clicking Save Labels & Finish, the unsaved alert labels are discarded.
To change an alert label you have already saved:
On the Alerts tab in the Situation Room, select the alert.
Click the Change Label link.
Select the new label.
Click Save Labels & Finish.
If you need to remove labels from an alert completely, perhaps because you are uncertain whether the alert is a root cause or a symptom, you must use the Remove Label option.
To remove an alert label:
On the Alerts tab in the Situation Room, select the alert.
Click the Change Label link.
Click Remove Label.
Click Save Labels & Finish.
The root cause information for the selected alert is removed from the incident when you save your changes.
Use the grid menu options to label one alert, or multiple alerts at once:
On the Alerts tab in the Situation Room, select one or more alerts to label.
Do one of the following to open the Actions menu:
Click Actions.
OR
Right-click in the grid.
On the menu, hover over Set Root Cause Label, then select either Root Cause or Symptom.
When you have completed labeling alerts for the incident, click Save Labels & Finish.
Note
You can similarly remove labels from alerts using the grid Actions menu.