This article applies to:
• Alerts
• Product edition: All
• Feature Category: Alerting
Feature Category: Alerting
Problem Description:
Alerts are firing when a new source(s) report in breaching the threshold briefly but not for the full duration of the configured target window.
Cause:
When an alert sees a true value proceeded by "No Data" value this is a special situation that will cause the alert will fire immediately and not wait for the target threshold.
Resolution:
For new sources that breach the Alert condition briefly we need to include additional check for this special situation. This is similar to configuring for "NO Data" scenarios.
The query condition should contain two parts
Part 1) The original alert condition.
Part 2) The original alert condition wrapped with mcount(5m ts()) >3,
By using the mcount function in this way we are saying the alert must also see a minimum of 4 values/points prior to the first true values/point of the condition.
Example
Original Alert Condition: ts(<some query value>)
Updated Alert Condition: mcount(5m, ts(<some query value>))>3 AND ts(<some query value>)
This will count the last 5 minuets of points to see if the ts() reports 4 points, which will allow the alert to ignore "NO DATA" special situation.
See also:
Comments