Create custom Event Compression Policies in Enterprise Manager to reduce event noise

September 21, 2023 | 8 minute read
Desiree Abrokwa
Product Manager, Enterprise and Cloud Manageability
Text Size 100%:

Are you experiencing too many events in your IT environment? Are these events overwhelming you and other administrators and delaying issue resolution? If that’s the case, then Event Compression Policies are the solution to reduce event noise.

In Enterprise Manager (EM) 13.5 Release Update 8 (RU8), we introduced Event Compression Policies to reduce this event noise. It includes out-of-box policies that work with your incident rules to group related events into a smaller set of actionable incidents. For more information, refer to this blog: Reducing alert fatigue with Event Compression Policies in Oracle Enterprise Manager.

For scenarios not covered by the out-of-box policies, User-Defined Event Compression Policies were introduced in EM 13.5 RU13 to allow you to author custom policies specific to your environment.  

To analyze the effectiveness of all of these policies (out-of-box and custom) against your events, in EM 13.5 RU11 we introduced the Event Compression Analysis tool. The analysis uses historical monitoring data from your environment to analyze the number of incidents created if policies were enabled vs. the number of incidents that were created in the past. Using the Event Compression Analysis tool, you can test the policy before publishing it for use by other EM admins.

This blog reviews how you can create a policy and test its effectiveness.

 

Creating your Event Compression Policy

Consider a scenario where you are getting many Target Availability (e.g., down or error) events in your environment for your Coherence targets. This is leading to many separate incidents being created for each of these events, which could be hard to manage. Instead, you prefer to group (compress) all these events into a smaller set of actionable incidents.

Let’s look at how to create a custom compression policy in EM for this scenario:

1. In the EM console, first navigate to the Setup menu icon > Incidents > Event Compression Policies.

2. From the Event Compression Policies page, view all the policies available. To create a policy, select ‘Create New Policy’. A page slides out where you can specify the criteria for your policy.  

Figure 1: Create new compression policy
Figure 1:  Create a new compression policy

 

3. Let’s review how to create a policy for the scenario previously mentioned. First, enter a policy name and description that describes the compression criteria. For example, name the policy ‘Target availability events for a coherence cluster and its members’ and the description could be ‘Compress target availability events for a coherence cluster, coherence node and coherence cache occurring within the 60-minute time window’.

Figure 2: Create Compression Policy – Add name and description
Figure 2:  Create Compression Policy – Add name and description

 

4. Next, specify the type of events that will be used in the policy. In the scenario, you are interested in compressing Target Availability events (i.e., down and error) for the Coherence targets. When creating the policy, this would translate to:

  • Events of type: Target Availability
  • On targets of type: Oracle Coherence Cache, Oracle Coherence Cluster, Oracle Coherence Node
  • With event severity: Fatal, Critical
    Figure 3: Create Compression Policy – Selecting events to compress
    Figure 3:  Create Compression Policy – Select events to compress

 

5. Set a designated time window within which the events should have occurred to be compressed. Adjust the time window to a range that fits your needs. For example, set the time window to 60 minutes.

Figure 4: Create Compression Policy – Adjusting time window
Figure 4:  Create Compression Policy – Adjust time window 

 

6. Define how the events are grouped into the incident. Note that the Coherence Cluster target is the parent target to the Coherence Cache and Coherence Node targets. Knowing this, you may want to group all these related events into one incident based on the parent target, hence the following selection:

Compress into One incident by:

  • Select Event Type: same ancestor target type
  • Select Group Type: Oracle Coherence Cluster
Figure 5: Create Compression Policy - Defining compression criteria
Figure 5:  Create Compression Policy - Define compression criteria

 

7. Last is the Incident Message field. Use the default Oracle-provided message that is displayed or modify the message as you like. The variables displayed will be replaced with their corresponding values in EM once the incident occurs. Refer to EM documentation to view the list of variables that can be used in the incident message. Once this is complete, save the policy created.

Figure 6: Create Compression Policy - Incident message
Figure 6:  Create Compression Policy - Incident Message

 

8. The saved policy will appear in a draft and disabled state in the Event Compression Policies page. It cannot be used by other admins until it is published and enabled.  

Figure 7: EM Walkthrough of creating compression policy
Figure 7:  EM Walkthrough to create the compression policy

 

 

Testing your policy using Event Compression Analysis

1. Now that a policy has been created, enable it for testing.

Figure 8: Enabling custom policy to test
Figure 8:  Enable custom policy to test

 

2. Select the ‘Event Compression Analysis’ link. This navigates to the Event Compression Analysis page. Select the ‘Start New Analysis’ button on the page.

Figure 9: Navigate to Event Compression Analysis page
Figure 9:  Navigate to Event Compression Analysis page

 

3. Enter a meaningful name and description for your analysis. Next, specify the group containing your Coherence targets and the time range for when the Coherence related events occurred. Select ‘Include Draft Policy’ to include your draft policy in the analysis. Select the ‘Start Analysis’ button.

Figure 10: Define criteria for analysis
Figure 10:  Define criteria for analysis

 

4. The Event Compression Analysis page re-appears to track the progress of the analysis job.

5. After the job completes, select the analysis name to see the results.

Figure 11: View analysis results
Figure 11:  Event Compression Analysis results

 

6. The analysis above shows the following:

  • 30 events were analyzed during the selected time range
  • Without compression enabled, 30 incidents are created
  • With compression enabled, 10 incidents would be created, a 66% reduction in the number of incidents
  • An average of 3 events were grouped into a single incident

Note: In the graph, the bars are color coded to distinguish the number of incidents created when Event Compression Policies are used (orange) vs. number of incidents created when Event Compression Policies are not used (blue).

7. To analyze the exact events that are compressed, click on the bar in the graph for your desired date.

8. This visualization illustrates the exact events that are mapped from incidents without compression policies to incidents with compression policies. Notice how these events were grouped into a smaller number of incidents. In EM, you can hover over the respective sections to view more details on these Coherence Target events.

Figure 12: Mapping of incidents to a smaller set of incidents
Figure 12:  Mapping of incidents to a smaller set of incidents

 

9. After testing, go back to the Event Compression Policies page to publish the policy so that other EM admins can use the policy.

Figure 13: Walkthrough to test out your custom policy
Figure 13:  EM Walkthrough to test out your custom policy

 

 

Event Compression and Incident Rule Sets

Event Compression Policies and Incident Rules work hand in hand. In order for the policies to take effect, verify your event rules that create incidents have the ‘Use Event Compression Policies’ enabled.  Refer to this documentation for more on how to use Event Compression Policies with Incident Rules.

Figure 14: Enable using Event Compression Policies in Incident Rules
Figure 14:  Enable using Event Compression Policies in Incident Rules

 

 

Take advantage of Event Compression Policies to reduce event noise now!

Event Compression is a powerful tool that drastically reduces the number of incidents to a manageable set. While Oracle provides out-of-box policies for common use cases, you can also author and test custom policies for event compression for your IT environment.

Get started now with Event Compression Policies:

  1. Refer to the Enterprise Manager product documentation
  2. Watch the webinar Manage Incidents More Effectively with Event Compression and Dynamic Runbooks
  3. Check out the blog Reducing alert fatigue with Event Compression Policies in Oracle Enterprise Manager
  4. Want to test out the feature? Refer to our Enterprise Manager Monitoring Quick Tour Hands on Lab

Desiree Abrokwa

Product Manager, Enterprise and Cloud Manageability

Desiree is a Product Manager in the Enterprise and Cloud Manageability organization at Oracle Corporation. She currently focuses on the monitoring space of Enterprise Manager. She has a Bachelor of Science degree in Computer Science from the University of Maryland, College Park.


Previous Post

Oracle Cloud Infrastructure Security Fundamentals Dashboards using OCI Logging Analytics

Royce Fu | 10 min read

Next Post


How to Monitor and Diagnose Oracle E-Business Suite Performance Issues with OCI Application Performance Monitoring

Vivek Verma | 7 min read