Manage Alert Filtering
Alert Filtering helps you stop duplicate, low-relevancy events from being correlated into incidents. Stopping alert noise before it reaches the incident feed allows you to focus on the most important incidents and spend your time and effort on the most critical issues.
Alert Filtering affects alerts after they have been normalized and enriched. The added context of the enrichment process allows you to filter events based on alert metadata and enrichment tags.
Key Features
Hide alerts requiring no operator actions such as during application. decommissioning, self-resolving alerts, testing, and more.
Preview filtering logic to see which alerts will be removed.
Adjust conditions on the fly to match changing situations.
View configured rules to troubleshoot filtered alerts.
Alerts currently cannot be filtered by the description field.
Timestamps
BigPanda timestamps are saved and processed in seconds. If a maintenance schedule is sent with a timestamp in milliseconds, it will treat the milliseconds as seconds and result in a scheduled time in the distant future.
Audit Logs
When multiple users are working in the BigPanda platform, it’s vital to see historic information on system configuration changes. Audit logs are available for alert enrichment in BigPanda, allowing admins to keep track of configuration changes.
Users with the Audit Logs permission can view historical configuration changes and actions made related to alert filtering. See the Use the Audit Log documentation for more information.
Relevant Permissions
Roles with the following permissions grant access to Alert Filtering:
Permission | Description |
|---|---|
Alert Filtering & Planned Maintenance | View, create, edit, and delete Alert Filters. |
Permission access levels can be adjusted by selecting either View or Full Access. To learn more about how BigPanda's permissions work, see the Roles Management guide.
View Alert Filters
Alert filters are managed in BigPanda at Settings > Alert Filtering.
Click any alert filter in the list to view details in the right pane.
 |
Alert Filter Details
Sort and Filter Alert Filters
To sort the list of alert filters, click the Sort icon. From the menu, choose to sort either by last Updated or Created date.
The alert filters list can be filtered by Status. To filter the list, click Status and from the menu, select Active or Inactive.
Create an Alert Filter
Filter limit
Each organization can only have 3,500 alert filters at a time.
To add a new alert filter:
Within BigPanda, navigate to Settings > Alert Filtering.
Click New Filter.
Add a short, descriptive Filter Name.
Select Source Systems. The filter will only apply to alerts sent from that monitoring tool. Multiple sources can be selected. Alerts that match any source within the selection will be filtered.
(Optional) Add a BPQL Condition. Only alerts that match the condition will be filtered. Do not include source_system in the BPQL condition in the UI.
(Optional) Add a Description to add context for the filter.
(Optional) Select Create as Inactive to save the filter without applying the filter to incoming alerts.
(Optional) In the right pane, click Preview filtered alerts to see a sample selection of historical alerts that match the filter source and condition.
Click Create Filter to save.
Create an Alert Filter
Adding source systems
Source System should be selected only in the Source Systems dropdown.
Do not include source_system in the filter condition in the UI. source_system should only be included when leveraging the Alert Filters (Plans V1) API.
Condition limitations
Filter conditions cannot be longer than 25,000 characters long.
All alert tags in filter conditions are case-insensitive.
Not all tags are available for alert filter conditions. See the Tag Naming documentation for a list of tags that have limited functionality in BigPanda.
OK status
By default, alert filters ignore events that have an ok status. These events will still enter the system and resolve any related open alerts.
This setting can be changed for an individual alert filter using the Alert Filter Plans API.
Recent tags only
Dropdowns only include alert tags that have been updated or included in an alert in the last 90 days. To use an older tag, simply type the tag name.
Manage Alert Filters
Once created, you can edit, duplicate, delete, or activate/deactivate alert filters from within the Alert Filtering pane.
To manage alert filters:
Navigate to Settings > Alert Filters. A list of existing alert filters appears.
Select the alert filter you wish to edit, activate/deactivate, or delete.
Use any of the following options to modify the alert filter:
Option | Description |
|---|---|
Edit | a. Click the Pencil icon. b. Make desired changes to the alert filter. c. Click Update Filter. |
Duplicate | a. Click the Duplicate Alert Filter icon. b. Adjust the alert filter as necessary to fit the new properties. c. Click Create Filter to save. |
Delete | a. Click the Trash icon. b. Click Delete to confirm, or Cancel to return to the previous page. |
Activate or Deactivate | Using the toggle button, select Active or Deactivate. |
Alert Filtering Schedules
By default, alert filters are not time-sensitive. Filters will apply to all matching alerts until deactivated.
An optional time window can be added to alert filters using the Alert Filter Schedules and Alert Filter Plans APIs.
To add a schedule to an existing alert filter:
Select the filter. Note the filter ID from the URL (24 digit code).
Create an Alert Filter Schedule using an API call. Note the schedule ID from the success return.
Make an Update an Alert Filter API call. Enter the filter ID in the id field, and the schedule ID in the
schedulefield.
The alert filter will only apply to matching alerts that are time-stamped within the scheduled period.
Next Steps
Learn about the Alert Intelligence process in the BigPanda University Alert Intelligence Learning Path.
Find information about managing Alert Enrichment.
Learn to navigate the BigPanda Settings page.