Configuring alert filling

To configure alert filling:

  1. In the KUMA web interface, go to the Settings → Other → Alerts section.
  2. In the Alerts window, go to the Alerts filling tab and manage the following settings:
    1. In the Status drop-down list, select the status that an alert must have to be filled with events. The default setting is New. You can select multiple values. The New value cannot be removed from the selection. Available values:
      • New means the created correlation events continue to be linked to the alert only if the alert status is New.
      • In incident means the created correlation events continue to be linked to the alert only if the alert status is In incident. If the status of the alert changes to In incident, it can revert to the New status if the alert is unlinked from the incident. In that case, the filling of the alert with events stops.

        Example: the alert has the In incident status. While in the In incident status, no new events were received. If you unlink the alert from the incident, the alert will be filled with events. If, while the alert was linked to the incident, more events were received and a new alert was created, the last created alert is filled with events.

      • Assigned means the created correlation events continue to be linked to the alert only if the alert status is Assigned.
    2. In the Alert created no later than (hours) field, specify the time during which the alert ьгые filled with events. The value must be an integer. The time is counted from the moment the alert is created. Default value: 336 hours (2 weeks). The minimum value is 1 hour.

      If both Status and Alert created no later than (hours) settings are specified, the filling of the alert with events is stopped by the condition that changes first. That is, either the specified alert filling time has expired, or the status of the alert has changed and no longer satisfies the conditions under which the alert can be filled. However, if alert reverts to the status that enables filling, such an alert is not filled. For example, filling is configured for the New status. When the alert changes to the In incident status, filling stops. Then the alert is unlinked from the incident and the alert reverts to the New status. In this case, no new events are added to the alert.

    3. In the Event storage drop-down list, select the storage where the alert events are stored. Only one storage can be specified. The list shows storage resources, instead of running services. For alerts to be filled with events, the storage service must be running.

      Alerts created before specifying the storage in the filling settings do not contain any events. After the Event storage setting is specified or changed, existing alerts are not filled with events from the specified storage. In that case, new alerts are created with events from the specified storage. After selecting an event storage, this setting can take up to two minutes to be applied to alerts. Alerts created before this parameter is applied may not contain events from the specified storage.

Alert filling is configured.

Page top