MARS Red (High) Incidents email alert

Unanswered Question

FYI for anyone else trying to do this - This is what TAC said:

Currently it's not possible to have MARS send alert for RED incidents for all rules. At the moment you can set an alert to a specific rule, not to any rule with one severity.

This limitation is currently being addressed through enhancement request

CSCse89349 (Receive email notification for All Red Severity Incidents).

mhellman Mon, 07/02/2007 - 06:22

Until it is enhanced, here is one possible option that will get you close to what you want:

Create a scheduled report to run every hour.

qry format = "matched incident ranking". make sure "use only firing events is checked". Click on the events column in the query and change "Restrict to Severity" to "RED". Change the time to last 1 hour.

This report should only contain severity red incidents. Of course it's only hourly, but it gets you closer.

srue Mon, 07/02/2007 - 09:09

I created a rule that will send out an email alert anytime it sees the severity as RED - all other fields left at 'any'. it sends out a link via email every time a high alert event is triggered. i defined the action to email me.

mhellman Mon, 07/02/2007 - 09:26

I believe the problem is that this doesn't tie directly to an incident. I think the OP wants 1 notification per red incident.

Actions

This Discussion