Intelligent Alert Grouping

AlertOps OpsIQ – Intelligent Alert Grouping (AIOps)

Overview

The Intelligent Alert Grouping (AIOps) feature in AlertOps leverages Natural Language Processing (NLP) and content-based similarity matching to automatically merge related alerts.

Key Benefits:

• Merged Alerts: Alerts in the "merged" state will not trigger notifications, reducing alert noise

• Workflows: Even when alerts are merged, workflows can be configured (e.g., update a ticket, trigger automation)

• Testing Capability: This feature can be tested with historical data or applied in production with AutoMerge

• Smart Correlation: Uses advanced algorithms to identify related incidents across multiple integrations

Navigation to AIOps Features

From the Main Menu top navigation, select AIOps. 

Two drop-down options will appear:

• AIOps Test - For configuration and simulation with historical alerts

• AIOps - For live production configuration with AutoMerge capability

We will cover AIOps Test first, followed by AIOps production mode.

AIOps Test (Simulation Mode)

The AIOps Test option allows configuration and simulation with historical alerts. You can simulate merge behavior against up to 100 past alerts within a specified date/time range.

This is the recommended approach before enabling live AutoMerge functionality.

AIOps Test Configuration Options

Alert Type

Select an alert type for the merge configuration. Only the relevant custom fields associated with that alert type will appear below.

Integration

Choose one or more integrations to correlate alerts from and across. This allows you to merge alerts from multiple monitoring sources.

Custom Fields (max 5)

Select up to 5 custom fields from the chosen alert type. These fields serve as evaluation criteria for NLP to decide merge eligibility.

Similarity Configuration

• Subject Minimum Similarity Score (0–1): Minimum subject similarity threshold

• Custom Fields Minimum Similarity Score (0–1): Minimum field similarity threshold

• Example: A threshold of 0.8 means alerts below 0.8 similarity will not merge

Weighting

• Subject Weight and Field Weight must add up to 100

• Example: If Subject Weight = 0, then Field Weight must = 100

• These determine the relative importance of subject vs. field matching

Combined Weight Minimum

Defines the overall similarity threshold (combined subject + fields + weights) required for merge.

Max Time Between Alerts

Defines the allowable time gap for merging alerts. Minimum value: 5 minutes.

Exact Match Fields

Specify fields that must match exactly (e.g., Company Name, IP Address, Site Name). This ensures alerts do not merge across unrelated entities.

Simulation Date Range

Select a start and end date for the simulation window.

Simulate Button

After configuring, click Simulate to test merge behavior on historical alerts.

AIOps (Production Mode)

The AIOps option (as opposed to Test) is where configurations are applied live.

All configuration options are identical to AIOps Test, with one key difference:

AutoMerge

When enabled, the system will automatically merge alerts in production based on the configured thresholds and rules.

Figure 2: AIOps Production Mode with AutoMerge Configuration

Click Submit to save and activate your AIOps configuration.

Key Notes & Best Practices

Testing First

• Always use AIOps Test before enabling AutoMerge to validate thresholds

• Run simulations with different date ranges to understand merge behavior

• Test with various similarity scores to find optimal settings

Conservative Approach

• Start with conservative thresholds (e.g., higher similarity scores) to avoid over-merging unrelated alerts

• Gradually adjust thresholds based on test results and operational feedback

• Monitor merged alerts regularly to ensure appropriate grouping

Exact Match Fields

• Always define Exact Match Fields when correlating alerts across multiple integrations

• Common exact match fields include: Company Name, IP Address, Site Name, Customer ID

• This prevents alerts from different customers or systems from being inappropriately merged

Workflow Integration

• Monitor merged alerts workflows to ensure operational processes (like ticket updates) function as expected

• Test workflow behavior with merged alerts before production deployment

• Ensure that merged alerts still trigger necessary automation and notifications

Similarity Score Guidelines

• Subject similarity: Start with 0.7-0.8 for conservative merging

• Field similarity: Start with 0.8-0.9 for more precise matching

• Combined weight: Typically 0.6-0.8 depending on your alert patterns

Time Window Considerations

• Set appropriate time windows based on your incident patterns

• Too short: Miss related alerts that arrive with delays

• Too long: Risk merging unrelated incidents

• Typical range: 15-60 minutes depending on your environment

Configuration Examples

Example 1: Conservative Configuration

• Subject Minimum Similarity: 0.8

• Fields Minimum Similarity: 0.9

• Subject Weight: 30, Field Weight: 70

• Combined Weight Minimum: 0.7

• Max Time Between Alerts: 30 minutes

• Exact Match Fields: Company Name, Site Name

Example 2: Moderate Configuration

• Subject Minimum Similarity: 0.7

• Fields Minimum Similarity: 0.8

• Subject Weight: 50, Field Weight: 50

• Combined Weight Minimum: 0.6

• Max Time Between Alerts: 45 minutes

• Exact Match Fields: Customer ID, Environment

Example 3: Aggressive Configuration (Use with caution)

• Subject Minimum Similarity: 0.6

• Fields Minimum Similarity: 0.7

• Subject Weight: 60, Field Weight: 40

• Combined Weight Minimum: 0.5

• Max Time Between Alerts: 60 minutes

• Exact Match Fields: Company Name

Troubleshooting

Common Issues and Solutions

Alerts Not Merging

• Check similarity thresholds - they may be too high

• Verify exact match fields are not preventing appropriate merges

• Ensure time window is sufficient for your alert patterns

• Review custom field selections for relevance

Too Many Alerts Merging

• Increase similarity thresholds

• Add more restrictive exact match fields

• Reduce time window for merging

• Review and refine custom field selections

Simulation Not Working

• Verify date range contains sufficient historical alerts

• Check that selected integrations have alerts in the specified timeframe

• Ensure alert type matches your historical data

• Confirm custom fields exist in historical alerts

AutoMerge Not Activating

• Verify the Enable Auto Merge checkbox is checked

• Ensure configuration has been submitted successfully

• Check that alerts meet all configured criteria

• Review system logs for any error messages