In Chapter 5, Working with Management Packs, we discussed the difference between monitors and rules and in the context of alert tuning, it's important to have the ability to easily identify when an alert is generated by one or the other.
A quick way to identify if an alert was generated by a monitor is to click on the alert from within the console and check either the Alert Details or Alert Actions pane to see if they refer to a monitor as shown in Figure 8.4.
Alerts generated by monitors tend to behave differently and have a lot more options that can be configured with overrides than alerts generated by rules.
If you need to change how an alert generated by a monitor behaves, then you'll need to configure an override for that alert. Overrides can be configured within the console using the Monitoring, My Workspace or Authoring workspaces.
The following steps will walk you through creating an override from the Monitoring workspace for an alert generated by a monitor:
When creating an override, you will be presented with five options for which you have to target the override. The first option at the top of the list (For the object:) will always target the override of the actual object which raised the alert, and the second option (For all objects of class:) will target the override of all objects of that same class.
If you wish to target an override at a group, then choose the third option (For a group:) and the fourth option (For a specific object of class:) targets a different object of the same class that generated the original alert. The fifth option in the list (For all objects of another class:) is the least used option when overriding alerts and it enables you to target objects from another class to the one that raised the alert in the first place.
This is probably a good time to point out a golden rule in OpsMgr when creating overrides. You should always choose an unsealed management pack that references the sealed management pack from which you can make the override to and never save any overrides into the Default Management Pack.
The reason for this is that it can cause dependency issues at a later stage when you want to upgrade or remove other management packs and you'll need to break out your XML editing skills to fix those issues, which are never fun!
Should you come across a console full of alerts, the temptation to just select everything, right-click and hit the Close Alert option is something that might be appealing to you, but in the case of alerts generated by monitors, this isn't the wisest thing to do!
An alert generated by a monitor impacts the health state of a monitored object and when the issue that initially caused the alert is resolved then the monitor will self-heal and automatically close the alert. If you decide to manually close an alert generated by a monitor without the condition that originally caused the alert to fire being resolved, then you will end up with a closed alert but a still unhealthy object that can appear hidden unless you're looking at a state view or using the Health Explorer to view that object.
When you find that a particular monitor is generating unnecessary and noisy alerts on a regular basis, then instead of constantly just closing the alert, you should either create an override to modify the thresholds of how the alert fires or simply disable it.
Here's one way to properly disable an alert generated by a monitor:
Disabling an alert in the Monitoring workspace like this is an easy way to disable the monitor for a specific object, class or group without having to go through additional steps from within the Authoring workspace.
3.149.243.32