Proactive alerting of issues is important, but having too many alerts can be overwhelming. The latter can cause alert fatigue, and this is usually the result of not being able to correlate related alerts (or events) into a single issue that can be managed holistically.
Event Compression Policies in Enterprise Manager address this need. It automatically correlates and compresses related events into a single, actionable incident. The overall result of compression is a smaller set of meaningful incidents that ITOps teams can manage. This feature is available in Enterprise Manager 13.5 Release Update 8 (RU8) and later versions.
Incident Rule Sets contain Event Rules that specify the set of significant events for which incidents should be created. Event Compression Policies work with Event Rules to apply event compression logic before the incident is created. To illustrate this, see the example in Figure 1 below. We have an Incident Rule Set for the group ProdGroup. In this Rule Set, we have an Event Rule that instructs the Enterprise Manager to create an incident for all ‘Target Down’ availability events for all targets in ProdGroup.
Consider a scenario where Enterprise Manager is monitoring a WebLogic Cluster that has 2 WebLogic Servers. Let’s assume both WebLogic Servers went down. This would cause 3 Target Down events: one for each WebLogic Server and another for the WebLogic Cluster whose availability status is based on the status of its member WebLogic Servers. Without Event Compression, this scenario would result in the creation of 3 separate incidents as shown in Figure 2 below.
Now, consider the same scenario where Event Compression Policies are used. When the event occurs and there is an action to create an incident, before the incident is created, Enterprise Manager will first try to find an Event Compression Policy that matches or applies to the event. If a policy is found, then Enterprise Manager will correlate and compress the events based on that policy, resulting in one incident with multiple compressed events, instead of 3 separate incidents. This is shown in Figure 3 below.
Once you upgrade to or install Enterprise Manager 13.5 RU8, a key set of out-of-box Event Compression Policies are enabled and ready for use, with more policies planned for the future. In Incident Rule Sets, when you create a new event rule to create an incident, by default it will be automatically enabled to use Event Compression Policies. Thus, no further action is required to use Event Compression Policies for new event rules.
If you upgraded from an older version of Enterprise Manager to Enterprise Manager 13.5 RU8, your existing Incident Rule Sets and Event Rules in these Rule Sets will remain as is. To leverage Event Compression Policies for your existing Event Rules, you can modify the Event Rule and choose the option to “Use Event Compression Policies”, as shown in Figure 4 above.
When an incident has compressed events, you will be able to view the incident and its events in the Incident Manager. The total count of events as well as full details of each event are available for review. Click on the link to “View compression criteria” to learn about the Event Compression Policy that was used for the incident.
When dealing with a large volume of events, it is critical to manage these by automatically correlating and grouping related events so they can be managed holistically instead of individually. Event Compression Policies provide a consistent, standard way to implement event correlation and compression across all Incident Rule Sets. This results in a reduced and more manageable set of incidents for your ITOps teams, enabling them to better respond to these incidents promptly.
For more information on Event Compression Policies, refer to the Enterprise Manager product documentation.
Watch the webinar Manage Incidents More Effectively with Event Compression and Dynamic Runbooks
Previous Post
Next Post