Skip to main content

Use maintenance windows to reduce noise

The Maintenance Windows feature adds identifying information to selected alerts during active maintenance windows. You can use these fields to reduce noise in your Moogsoft Cloud environment.

Configure correlation definitions to ignore in maintenance = true alerts during active maintenance windows

To avoid correlating alerts that match an active maintenance window, you must prevent the correlation engine from including in incidents any alerts where the in maintenance field has a value of true. When the following correlation definition changes are complete, alerts created during a maintenance window continue to show up on the Alerts page, but they are not clustered into new incidents or added to existing incidents.

Note

If you have multiple correlation definitions, then consider which ones will be affected by maintenance periods and edit those. If all correlation definitions may be affected, you can add the following information to all of your definitions.

To ignore alerts matching the criteria in a maintenance window:

  1. Navigate to Correlate & Automate > Correlation Engine.

  2. Select the correlation definition in the list and open it for editing.

  3. Examine the Scope section under Definition.

    • If your current definition Scope is set to ALL alerts, select Filter alerts instead and create the following filter:

      "in maintenance" != true

      OR,

    • If your current definition Scope is already set to Filter alerts, add the following additional filtering information to the end of your filter:

      AND "in maintenance" != true

    Note

    If you have multiple correlation definitions, you may need to edit the scope for all of them.

  4. Save your updated correlation definition.

  5. Create maintenance windows as needed using this procedure.

Important notes

  • If events continue to be received after the maintenance window expires, some alerts created during the maintenance window may be included in incidents even though correlation is set up to prevent this from happening.

    This occurs when new, incoming events match older alerts. When the events are deduplicated, the alert they form is clustered into an incident. This happens because, since the window has now expired, all alerts have the field in maintenance = false, and they are no longer prevented from joining incidents. See Use maintenance window fields.

  • If you have multiple correlation groups, you may need to edit the correlation definitions for every group to include the filter.

  • If you have one or more correlation groups set to "Alerts can match one definition" and you have selected the option Create an incident for each alert, this procedure will not effectively reduce noise, as it depends on using a correlation definition filter to remove alerts affected by maintenance windows. When all alerts are correlated into incidents regardless of the filter setting, then you cannot prevent the alerts from correlating into incidents, by design.

  • You cannot use the in maintenance field to filter all alerts to find those that were created or updated during maintenance windows. When the maintenance window expires, the value changes from true to false. Instead, use maintenance or maintenance windows to locate these alerts.

  • Older alerts which were updated by new events received during a maintenance window will also have in maintenance set to true. The value remains true until the active window expires.

Filter alerts during maintenance windows to reduce noise in outbound notifications

You can also use maintenance window fields to avoid sending notifications to external systems.

  1. Set up outbound notifications for your selected external system.

  2. Add the following information to your scope filter:

    AND "in maintenance" != true

    This prevents the integration from triggering when an alert is being impacted by an active maintenance window.

  3. Configure maintenance windows as needed.

In this section: