Loading...
Loading...
In the Xanadu release, a new tag-based alert correlation mechanism was introduced using the Query job (via the Service Analytics RCA/Alert Aggregation job). We have identified an issue where alerts matching different tag-based definitions may not be grouped correctly if they arrive close together in time. This behavior is specific to the new correlation method and does not occur with the legacy mechanism. Steps to Reproduce 1. Create 2 TBAC rules, the first has filter "source=test^metric_name=789^ORmetric_name=012^severity=2^ORseverity=3 ", the second has filter "source=test^metric_name=123^ORmetric_name=456^severity=1" 2. Create TBAC rule that does not have metric_name in the filter "source=test" 3. Send event that does not match the first 2 rules 3. Send an event that matches the first rule 4. The alerts that are not supposed to be grouped will be grouped.
As A workaround, disable the new tag-based clustering logic by setting the following property: sa_analytics.agg.tag_based_clustering_from_agg_job = false This will revert the alert correlation behaviour to the legacy mechanism, which does not exhibit the problem and will correctly group the alerts. Important Notes: This property is hidden by default. You must manually create the sa_analytics.agg.tag_based_clustering_from_agg_job property in your instance to apply the workaround. This problem is currently under review and targeted to be fixed in a future release. Subscribe to this Known Error article to receive notifications when more information will be available.
PRB1872971
Click on a version to see all relevant bugs
ServiceNow Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.