This article describes how to work with Suppress events, and includes the following:
What are Suppress Events?
Suppress events enable you to suppress certain metrics according to the event start and end time (the events need to include some kind of “end time”, either in the same event, or by using a closing event). Note that if an event suppresses a subset of the alert metrics, it will be shown in the trigger; if it suppresses all metrics, it cannot be shown as there is no trigger to show it in.
In addition, when you are defining multiple suppress conditions for an alert (see Defining Advanced Alert Conditions), you can map up to four properties in each user event group to dimensions in the alert metrics.
Use case example of Suppress Events
You may have another platform in place that generates alerts, for example, whenever a customer complaint is received. These alerts would typically be sent to Anodot as events.
Using Suppress events, if the events received match certain dimension values in the Anodot metrics, alerts on these metrics can be suppressed until a “close” indication is received for the suppression notification.
The events allow you to link current or future happenings in your environment to Anodot, and reduce the number of expected alerts issued by Anodot.
Use Case 1:
You might have a maintenance schedule for monitored devices, and you know that during maintenance times, the device metrics often act in a chaotic manner. As you know that alerting on a specific device during maintenance is not needed, but keeping alerts on adjacent devices is very much needed, you may want to suppress the relevant metrics within the alert.
Use Case 2:
If you are maintaining budgets for your marketing campaigns, when those budgets are exhausted you may wish to suppress alerts on the relevant impressions, as they are most likely to drop. In the meanwhile, you can keep monitoring active campaigns.
How to use Suppress Events
There are several steps needed to get up and running with Suppress events:
- Plan your metrics and events in a way they will be easy to match. This basically means you should be able to match between an event property and a metric dimension.
- Inject the events as soon as you know them with the most accurate "startTime" indication. Remember to set the type as "suppress" and the action as "START" or "END".
- Select the Suppress event condition for the relevant alert.
- Add the same condition to the display condition, so you will be able to get the events included with the triggers you get from Anodot.
Other things to consider
- An event that took place after an anomaly started is ignored for that anomaly. This means the anomaly may cause sending a trigger even if the event exists.
- Make sure you send the events to Anodot as soon as you know them.
- Make sure you send an "END" event to stop the suppression period.
- Suppressing the alert metrics also pauses the Anodot baseline learning for that period. If the period is too long, Anodot will need to relearn metric behavior as if it was a new metric.
- Suppress events can also be used in a display and influencing events conditions. For more information, see here
This section includes some common questions (and their answers) you might have regarding Suppress events.
- If an event suppressed an alert trigger is it possible to review the reason for not getting the alert?
- Is it possible to suppress all the metrics except for one?
If an event suppressed an alert trigger, is it possible to review the reason for not getting the alert?
The suppress condition is yet another condition included in the alert and is not recorded as an unsent trigger. However, if some of the alert metrics were triggered and sent, and the event was included in the display condition, it will be shown in such triggers.
Is it possible to suppress all the metrics except for one?
There are two main ways to exclude metrics from being suppressed:
- Include the metric in a different alert altogether.
- Create matching rules that do not match that metric. For example, use a dimension that the specific metric does not have.