Use maintenance window fields
The Maintenance Windows feature uses the following fields (viewable as alert fields in the Alerts page and Situation Room) to track maintenance windows and populate alerts with maintenance window information:
in maintenanceIndicates if an alert matching a currently active maintenance window was created (or updated) during that window.
value =
truemeans that a maintenance window is currently active and is potentially impacting this alertvalue =
falsemeans that no maintenance window is currently impacting this alert
maintenanceThe name of the last matching maintenance window during which the alert was created, or updated by new alerts.
If this field does not contain a value, then no maintenance window was active during updates to the alert.
NOTE: When viewing information this information via API, the ID for the window displays instead of the name.
maintenance windowsA list of all matching maintenance windows which were active when alert updates occurred.
If this field does not contain a value, then no matching maintenance windows were active during updates to this alerts.
Determining whether an alert is impacted by a maintenance window
The in maintenance field is important when creating correlation definitions which identify alerts that are currently impacted by maintenance windows. You can use this information in conjunction with correlation definitions to reduce noise, or to prevent in maintenance alerts from triggering notifications to external systems.
Alerts created and updated outside of active maintenance windows have a value of false for this field. The value remains false, unless new events are added to the alert via deduplication during a matching active maintenance window.
Alerts created or updated during an active maintenance window have an in maintenance value of true. For this reason, it is recommended that you use the in maintenance field to determine whether an alert is currently affected by a maintenance window. However, it is important to note that the value for in maintenance switches from true to false for the alert when the maintenance window ends.
Because the value changes, you cannot use in maintenance to determine if an alert was ever impacted by a maintenance window. It only tells you if the alert received new events during the window that is active right now. Alerts that were impacted at some point by one or more now-expired maintenance windows have values for maintenance and maintenance windows. Once these fields contain values, they will always contain values, and you can use these fields to determine if an alert was updated during a maintenance window sometime in the past.
Overlapping windows
The following principles assume that the alerts match the maintenance windows. If an alert does not match the filter in an active maintenance window, then it is not identified as in maintenance. Maintenance window filters determine which alerts will be identified as in maintenance = true while the window is active.
Note that overlapping maintenance window schedules do not affect alerts at all. Only active, matching maintenance windows have any impact.
When alerts are not updated during a matching window, they are not added to any window.
Alerts are placed in the maintenance window that's active when they are created or a new event is added to the alert. When maintenance windows expire, then alerts are no longer considered in maintenance. If another maintenance window becomes active later on, and the alert matches that window, then the same alert can become part of that window if new events are added. For this reason, it is possible for alerts to switch between in maintenance = true and in maintenance = false multiple times.
For a new alert:
Window 1 becomes active.
Alert 1 is created.
Alert 1 matches Window 1, so
in maintenance=trueand Alert 1 is in Window 1.Window 1 expires.
For Alert 1,
in maintenance=false.
For an existing alert:
Alert 1 is created.
in maintenance=falseWindow 1 becomes active.
Alert 1 matches Window 1, but because it has added no new events during the window,
in maintenance=falsefor Alert 1.Alert 1 updates with a new event while Window 1 is active.
Now
in maintenance=truefor Alert 1.Window 1 expires.
For Alert 1,
in maintenance=false.
If two windows are active when a new alert is created (or an existing one updated), and the alert matches both windows, then the alert is included in the maintenance window that became active first.
Window 1 becomes active.
Window 2 becomes active 10 minutes after Window 1.
Alert 1 is created.
Alert 1 matches both windows but is included in Window 1 because it was active first.
If two maintenance windows simultaneously became active, and an alert matches both, then the alert could be in either window. It is not possible to determine in advance which maintenance window an alert would be in. However, an alert can only be in one active window at a time.
Whenever a maintenance window expires, Moogsoft Cloud checks for older alerts that could potentially be in active windows.
This affects overlapping windows as follows. In this example, Alert 1 matches both Window 1 and Window 2:
Window 1 becomes active.
Alert 1 updates with a new event and is included in Window 1.
Window 2 becomes active while Window 1 is active.
Alert 1 is still in Window 1.
While both Window 1 and Window 2 are active, Alert 1 updates with a new event.
Alert 1 is still in Window 1.
Window 1 expires.
The expiration of Window 1 triggers the addition of Alert 1 to Window 2.
The alert switches windows, even though the alert has not added any new events after Window 1 expired. The alert is still in maintenance (
in maintenance=true) though it is now part of Window 2.
Note that the process of moving alerts between windows is not instantaneous, so Alert 1 in this example may briefly show in maintenance = false after Window 1 expires.
This scenario only occurs when an alert is updated or created during the overlap of the two windows. If the alert did not update during the overlap, it would not move to Window 2 and in maintenance would be false when Window 1 expired.