I have recently created an auto operator rule that modifies a high number of alerts on arrival and it seems to be causing an excessive amount of alarm list refreshes. It makes it difficult to concentrate on an alert without pausing the alarm window. I am wondering if there is something I could have done differently to be more efficient in how the alerts are being handled.
My desire is to set values on several of the custom_# fields of every alert upon arrival, however due to the impact, I have currently limited the action to only minor and greater alerts. Even with that additional filter, I am seeing the alarm window refresh continuously.
I don't believe I can use a pre-processing script as the script needs to be able to pull details of the alarm (severity and origin time at the moment) in order to set proper values in the custom fields.
The profile has an action type of script, with an action mode of "On message arrival" with a filter for Minor, Major and Critical and a count of less than 2. In theory it should match every alert that is Minor or greater, but only on the first occurrence of the alert. However, when I look through the NAS logs, I'm seeing the same alert get matched every 5 seconds until another instance of the alert comes through.
- Why are alerts being matched multiple times?
- What is the best way to modify these fields with the least impact on the overall system? I need to modify them as early in the process as possible as I will eventually be adding automation to create tickets on message arrival.
I've attached a screenshot of my profile settings below: