Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
resmi_ks
Product and Topic Expert
Product and Topic Expert
907

This blog aims to provide a detailed explanation of correlation rules.

To know more about alert correlation, click here.

Features of Correlation Rules:

A rule has an ID, name, attribute, time window, status and optionally filters.

resmi_ks_0-1707121359794.png

  1. Rule ID: Rule ID is used to uniquely identify and manage the rule within the system.
  2. Rule Name: A rule name helps in identifying and distinguishing one rule from another. This is also used while the clusters are displayed in the alert list.
  3. Correlation Attributes: Correlation attributes refer to the basis for correlation. 
  4. Time Window: The time window in the Alert Correlation tool determines the duration between alerts that match the correlation attributes. It allows users to specify a specific time frame, such as 10 minutes, 1 hour etc. during which alerts are considered for correlation. This ensures that only alerts generated within the defined time frame are correlated.
  5. Rank: The rank feature is used to determine the rule that should be applied in cases where multiple rules can be used for correlation. Rules can be dragged and dropped to change their rank.
  6. Filter: Filters can be applied to decide whether to include or exclude certain alerts from correlation.
  7. Active/Inactive Status: Each correlation rule in the Alert Correlation tool can be set to active or inactive status. An active rule is applied to incoming alerts and is correlated with other relevant alerts if the alert matches the defined criteria. On the other hand, an inactive rule is not considered during the correlation process, meaning alerts that meet the criteria of an inactive rule will not be correlated.
  8. Available Attributes: The Alert Correlation tool offers a wide range of attributes that can be used to define correlation rules. These attributes include Alert Category, Managed Object Type, Monitoring Use Case, Alert Name, Alert Technical Name, MO Name, Customer Name, Data Center, Context Family, Host, and Technical System. Users can leverage these attributes to create customized correlation rules based on their specific requirements.

 Here is a guide on what filter values to use :

  • Alert Category

Alert Category

ID

Availability 

AVAIL 

Configuration 

CONFIGURE 

Exception 

EXCEPTION 

Health 

HEALTH 

Performance 

PERFORM 

Self Monitoring 

SELFMON 

  • Managed Object Type

Managed Object Type description

ID

Application Server ABAP

ABAP

Application Server Java

JAVA

User Request Group

RUM Group

Sum Scenario

SUM_SCRIPT

Sum Location

SUM_ROBOT

Storage Device

Storage

Open KPI Sender

RCA_OPEN_K

Job Monitoring

ABAP_H

Host (Server)

HOST

Generic Managed Object type

SCENARIO

External Service

EXT_SRV

Database Replication Group

DBCLUSTER

Database Instance

DBINSTANCE

Database

DBMS

Customer Network

NETWORK

Client

CLIENT

Technical Component

TECHN_COMP

Technical Instance

INSTANCE

Technical System

T_SYSTEM

Tenant Database Instance

DBTENANT

Test Manged object type

TEST_MOT

Unspecified Managed Object

UNSPECIFIC

  • Monitoring use case

You can find the values in the value help available in the rule creation UI.

resmi_ks_1-1707121359798.png

  • Additional alert keys

Additional alert keys are part of alert. You can find it in alert list or in alert detail.

resmi_ks_2-1707121359814.png

resmi_ks_3-1707121359821.png

To use as filter, each name-value pair to be delimited by a pipe symbol

Name=PLM_PSM_SH|Type=SAP ABAP Job|Client=002 

  • Alert Name

You should use complete Alert Name without any wild cards(*).

Example : Critical Execution Status for job detected

  • Alert Technical Name

You can locate this in the template maintenance for system monitoring alerts. For other alerts this is not applicable.

  1. Managed Object Name – as shown in the alert
  2. Customer Name

You can use the customer name as it appears in the scope selection.

resmi_ks_4-1707121359823.png

  • Data Center

You can use the data center as it appears in the scope selection.

resmi_ks_5-1707121359824.png

  • Context family

Context family name is a concatenation of extended system id and type. Example: AXEWLL (ABAP). You can also wait till the first cluster is formed and use the name from there. Use the managed object type and name in this case.

  1. Host : Host ID as seen in the alert
  2. Technical System – Technical System ID as seen in the alert

Examples:

  1. Rule to correlate alerts from same Host occurring within 60 mins from the first alert will be defined as follows:

Correlation Attributes: Host

Time Window: 60 Mins

Rank: 1

Filter: NA

  1. To correlate alerts of different Managed Objects based on Alert Type from the same Data Center occurring within 60 mins from the first alert, the rule will be defined as follows

Correlation Attributes: Alert Type, Data Center

Time Window: 60 Mins

Rank: 1

Filter: NA

  1. To correlate alerts coming from the same family for a duration of 30 minutes.

Correlation Attributes: Context Family

Time Window: 30 Mins

Rank: 1

Filter: NA

  1. To correlate availability alerts coming from the same family for a duration of 30 minutes.

Correlation Attributes: Context Family

Time Window: 30 Mins

Rank: 1

Filter: Alert Category

Condition : Is

Value : AVAIL

  1. To correlate availability alerts coming from the same family for a duration of 30 minutes but do not correlate alerts from data center Prio.

Correlation Attributes: Context Family

Time Window: 30 Mins

Rank: 1

Filter: Alert Category

Condition : Is

Value : AVAIL

Filter: Data Center

Condition : Is not

Value : PRIO

In conclusion, understanding correlation rules in SAP Focused Run Alert Management is crucial for efficient and effective alert management. By leveraging correlation rules, users can reduce noise and false positives, prioritize critical alerts, and streamline incident resolution. This can ultimately lead to improved operational efficiency and better overall system performance.

 #SAPFocusedRun

 

2 Comments