Manage Alert Filtering
Alert filtering allows you to prevent low-relevancy alerts from being correlated into incidents.
Alert Filtering helps you stop duplicate, low-relevancy events from being correlated into incidents. Stopping alert noise before it reaches the incident feed allows you to focus on the most important incidents and spend your time and effort on the most critical issues.
Alert Filtering affects alerts after they have been normalized and enriched. The added context of the enrichment process allows you to filter events based on alert metadata and enrichment tags.
Key Features
- Hide alerts requiring no operator actions such as during application decommissioning, self-resolving alerts, testing, and more.
- Preview filtering logic to see which alerts will be removed.
- Adjust conditions on the fly to match changing situations.
- View configured rules to troubleshoot filtered alerts
Alerts currently cannot be filtered by the description field.
BigPanda timestamps are saved and processed in seconds. If a maintenance schedule is sent with a timestamp in milliseconds, it will result in a scheduled time in the distant future.
Relevant Permissions
Roles with the following permissions grant access to Alert Filtering:
| Permission | Description |
|---|---|
| Alert Filtering & Planned Maintenance | View, create, edit, and delete Alert Filters. |
Permission access levels can be adjusted by selecting either View or Full Access. To learn more about how BigPanda's permissions work, see the Roles Management guide.
Create an Alert Filter
Plan Limit
Each organization can only have 3,500 alert filters at a time.
To add a new alert filter:
- Within BigPanda, navigate to Settings > Alert Filtering.
- Click New Filter.
- Add a short, descriptive Filter Name.
- Select Source Systems. The filter will only apply to alerts sent from that monitoring tool. Multiple sources can be selected. Alerts that match any source within the selection will be filtered.
- (Optional) Add a BPQL Condition. Only alerts that match the condition will be filtered. Do not include source_system in the BPQL condition in the UI.
- (Optional) Add a Description to add context for the filter.
- (Optional) Select Create as Inactive to save the filter without applying the filter to incoming alerts.
- (Optional) In the right pane, click Preview filtered alerts to see a sample selection of historical alerts that match the filter source and condition.
- Click Create Filter to save.
️ Adding Source Systems
Source System should be selected only in the Source Systems dropdown.
Do not include
source_systemin the filter condition in the UI.source_systemshould only be included when leveraging the Alert Filter Plans API.
Condition Limitations
Filter conditions cannot be longer than 25,000 characters long.
All alert tags in filter conditions must be listed in lowercase, regardless of the tag's system case.
OK Status
By default, alert filters ignore events that have an
okstatus. These events will still enter the system and resolve any related open alerts.This setting can be changed for an individual alert filter using the Alert Filter Plans API
View Alert Filters
Alert filters are managed in BigPanda at Settings > Alert Filtering.
Click any alert filter in the list to view details in the right pane.
Alert Filter Details
Sort and Filter Alert Filters
To sort the list of alert filters, click the Sort icon. From the menu, choose to sort either by last Updated or Created date.
The alert filters list can be filtered by Status. To filter the list, click Status and from the menu, select Active or Inactive.
Manage Alert Filters
Once created, you can edit, duplicate, delete, or activate/deactivate alert filters from within the Alert Filtering pane.
To manage alert filters:
- Navigate to Settings > Alert Filters. A list of existing alert filters appears.
- Select the alert filter you wish to edit, activate/deactivate, or delete.
- Use any of the following options to modify the alert filter:
| Option | Description |
|---|---|
| Edit | a. Click the Pencil icon. b. Make desired changes to the alert filter. c. Click Update Filter. |
| Duplicate | a. Click the Duplicate Alert Filter icon. b. Adjust the alert filter as necessary to fit the new properties. c. Click Create Filter to save. |
| Delete | a. Click the Trash icon. b. Click Delete to confirm, or Cancel to return to the previous page. |
| Activate or Deactivate | Using the toggle button, select Active or Deactivate. |
Alert Filtering Schedules
By default, alert filters are not time-sensitive. Filters will apply to all matching alerts until deactivated.
An optional time window can be added to alert filters using the Alert Filter Schedules and Alert Filter Plans APIs.
To add a schedule to an existing alert filter:
- Select the filter. Note the filter ID from the URL (24 digit code).
- Create an Alert Filter Schedule using an API call. Note the schedule ID from the success return.
- Make an Update an Alert Filter API call. Enter the filter ID in the
idfield, and the schedule ID in theschedulefield.
The alert filter will only apply to matching alerts that are time stamped within the scheduled period.
Next Steps
Learn about the Alert Intelligence process in the BigPanda University Alert Intelligence Learning Path.
Find information about managing Alert Enrichment.
Learn to navigate the BigPanda Settings page.
Updated 3 months ago