Alert Correlation Training File

Note

In most cases, an alert correlation training file does not need to be used, and it is recommended that you rely on machine learning to discover alert sequences to be correlated. Notable exceptions are alert sequences with similar alert names, which make it more convenient to use the training file wildcard feature to specify the alert sequence. Full alert transparency and the observability option are always available to verify which alerts are correlated.

The alert correlation training file is a CSV file that provides a way to heuristically specify an alert sequence for correlation instead of using machine learning to discover alert sequence patterns. Alerts that occur in the exact sequence specified in the training file are correlated, with each row representing a separate correlation. Enter alert names separated by a comma.

Create a training file from an example file

To get started, you can download an Alert_Correlation_Training_Example.csv example training file:

Go to Setup > Alerts > Alert Correlation.
Select a client from the Select Client list.
Click Create New or + Add to display the Create Alert Correlation Policy page.
In the Policy Definition section, click Download an example file:
The example file specifies the following alert sequence, which uses regex to match alert patterns:
```
    vmware.vcenter.*, vmware.vcenter.*
    vmware.esx.*, vmware.esx.*
    citrix.network1*, citrix.network2*
    
```
Modify the file for the alert sequence you want to match on.
The alert sequence specified in the training file is significant. Alerts must be entered in the same order in which they are expected to occur, and each line represents a separate sequence.
Click Browse to navigate to your modified training file and open the file to use it as the training file for this correlation policy.

Wildcard sequence specification

Alerts can be specified in the training file using an asterisk (*) as a wildcard character. Wildcards are convenient for alerts with similar or partially known alert names, or for which the sequence might vary, but which satisfy correlation criteria. As an example, instead of explicitely specifying the following alert sequence,

vmware.vcenter.alarm.HostEsxCosSwapAlarm, vmware.vcenter.alarm.HostLicenseEditionNotAllowed, vmware.vcenter.alarm.HostMemoryUsageAlarm, vmware.vcenter.alarm.HostVendorProviderRegistrationAlarm

you can simplify the specification with vmware.vcenter.alarm.*, vmware.vcenter.alarm.*, vmware.vcenter.alarm.*, vmware.vcenter.alarm.* provided the wildcard sequence still satisfies correlation criteria. The example correlates all VMware vCenter alerts.

Inhibit correlation

You can specify that an alert sequence not be correlated by putting a minus sign (-) in the first column of the training file:`

-,Robot,QOS_NET_CONNECT

This alert sequence is not correlated.