Alert Event Reports—Raising an Alert

Setting the Severity Attribute

An alert is raised by setting the severity (SEV) attribute in an alert event report to any valid value other than clear or acknowledge (critical, major, minor, warning, informational, or indeterminate).

Alert Presentation in the Alerts Window

When an alert applies to an object in the zone being monitored, it appears in the Alerts window with the zone alerts and has the text specified in the TEXT attribute of the alert event report. Since a zone represents only systems and consoles, the object class is limited to the values listed in “AL Event Reports Syntax.”

If you specify any other value for the object class, the alert can appear only with the other alerts in the Alerts window of Operations Sentinel Console.

If you run multiple instances of Operations Sentinel Console with different zones selected, the same alert can appear with the zone alerts in one instance and with the other alerts in another instance. This occurs if the system to which the alert applies is in the zone monitored by the first instance, but not in the zone monitored by the other instance.

With an Active Alert Policy

When an alert event report refers to an action list defined in the currently active alert policy, Operations Sentinel server executes the actions in the action list that apply to raising the alert. If the event report refers to an alert that is already raised, then any unexecuted actions that remain from a previous severity for this alert are canceled. An alert event report refers to an action list with its EXT_ACTION_LIST or ALERTID attribute.

Alert Identification

Alerts are uniquely identified using the following attributes:

CLASS (required)
The type of system to which the alert applies along with any qualifiers if the object is not a system or server.

INSTANCE (required)
The name of the system to which the alert applies along with any qualifiers if the object is not a system or server.
ALERTID (required)
ALERTID is the primary alert identifier. It distinguishes this particular type of alert from other alerts raised against the same system. You may want to use a fixed alert identifier to describe the type of alert. For example, the ALERTID you specify for an alert raised when a file system is low on space might be File_System_Space_Low or File_System_Alert 1.
ALERTQUAL (optional)
ALERTQUAL further qualifies a particular type of alert. It distinguishes one alert from other alerts with the same ALERTID raised against the same system.
APPL (required)
The name of the application program that raised the alert.

The INSTANCE attribute value is case insensitive. So, for example, sys1 and Sys1 designate the same instance. All the other attribute values (except TYPE, SEV, HELP, and EXT_ACTION_LIST) are case sensitive. For example, an ALERTID of File_System_Space_Low does not match an ALERTID of File_system_space_low.

See “AL Event Reports Syntax” for a description of the syntax of AL event reports.

Duplicate Alerts

When an AL event report raises an alert, Operations Sentinel retains this alert and discards any subsequent event reports that raise the same alert. Two alerts are considered to be identical if all of the following attributes are the same:

CLASS (object class)
INSTANCE (object name)
ALERTID (alert identifier)
ALERTQUAL (alert qualifier)
APPL (application name)
SEV (severity)

CLASS, INSTANCE, ALERTID, ALERTQUAL, and APPL are the attributes that identify the alert. When SEV is also identical in two raise-alert event reports, the second event report is discarded if the alert raised by the first event report has not been cleared.

Escalated and De-Escalated Alerts

Alerts that duplicate the class, instance, alert identifier, alert qualifier, and application name, but have a different raise severity than an alert previously raised but not cleared, are treated as unique alerts. Such alerts are neither raised nor cleared; they are escalated or de-escalated, depending on the change in severity. These changes in severity are reflected in Operations Sentinel Console.

Escalated and de-escalated alerts are also checked against the active alert policy. If the alert matches an action list in the active alert policy, Operations Sentinel server executes the raise actions in the action list.

See “Alert Event Reports—Escalating and De-Escalating Alerts” for information about escalated and de-escalated alerts.