Troubleshoot the Content Pack for ITE Work Alert Routing
Once you install the Content Pack for ITE Work Alert Routing you can begin using the content pack to monitor your environment.
Common issues and how to resolve them
Refer to the following sections to learn how to resolve common issues using the content pack.
Can I take more than one action when an alert triggers?
Yes, if you specify multiple alert actions in the alert_routing field, each of the alert actions will be executed when the alert is triggered. See Configure alert routing rules on an entity.
Can I configure an alert to execute a custom script or take another action not supported by default in the content pack?
Yes. The content pack comes with the IT Essentials Work - Custom Alert Action Generator search, which is intended to allow you to execute any desired custom action not supported by default.
Can I put an entity into maintenance mode and suppress alert actions?
You can suppress alerts using any of the following options:
- Disable one or more of the IT Essentials Work - Alert Action Generator searches in this content pack to suppress alert actions for all triggered alerts.
- Disable the alerting configuration on the vital metric in the entity type configuration screen to suppress alerts for that vital metric.
- Remove or modify the
alert_routing
configuration on the entity to suppress or disable alerting for that entity. - More sophisticated maintenance management is available as a premium feature of ITSI. For more info, see Overview of Event Analytics in ITSI.
Can I throttle the number of alert actions taken per entity or per alert?
You can achieve alert throttling using one of the following options:
- Modify the throttling configuration on the vital metric alert in the entity type configuration screen to throttle down the number of times an alert is triggered for a vital metric.
- Modify the throttling configuration on any of the IT Essentials Work - Alert Action Generator searches in this content pack to throttle down the number of times the alert action is taken.
Can I route alerts to different people/teams based on the type of alert?
Yes. See, Configure alternate alert routing for a specific vital metric alert section for steps to configure more complex conditions.
Can I alert someone differently based on the time of day, or day of the week?
Yes. See, Configure alternate alert routing based on other conditions section for steps on how to configure additional conditions.
Can I alert someone differently based on the severity of the alert?
Yes. See, Configure alternate alert routing based on other conditions section for steps on how to configure additional conditions.
How does this work with alerts from Splunk App for Infrastructure (SAI)?
The content pack is designed to act only on alerts coming from the alerting configuration of an IT Essentials Work vital metric. Any alerts and alert action configurations from SAI will continue to operate as they are configured there.
If the same alert is configured in both SAI and IT Essentials Work, you might receive duplicate alert actions since no attempt is made to consolidate or suppress this duplicate configuration.
How does this work with alerts from Splunk Enterprise?
The content pack is designed to act only on alerts coming from the alerting configuration of an IT Essentials Work vital metric. Any alerts and alert action configurations from Splunk Enterprise will continue to operate as they are configured there.
If the same alert is configured in both Core Splunk and IT Essentials Work, you might receive duplicate alert actions since no attempt is made to consolidate or suppress this duplicate configuration.
Install and configure the Content Pack for ITE Work Alert Routing |
This documentation applies to the following versions of Content Pack for ITE Work Alert Routing: 1.0.1, 1.0.2
Feedback submitted, thanks!