Please Let me questions.
We have set up incidents for the following rules.
Evalution Timeframe: 1 minits
Incident Severity: Severe
When the threshold is exceeded under this condition, is the output to the incident log once a minute?
I understand that the data for evaluation is acquired every 10 seconds.
Even with the above setting, I am afraid that one incident exceeding the threshold will be output to the incident log 6 times every 10 seconds.
Please let me know my understanding is correct.
Once an incident is created it will remain open until the measures are no longer violating the thresholds given your incident configuration.
So in your case every 10 seconds the incident engine will look at the last rolling 1 minute window and pull the maximum value that it saw. It will compare this to the severe threshold and if it is in violation an incident will be created.
Every 10 seconds it will continue looking at that last rolling one minute window and if it is still in violation then no new incident will be created but rather that first incident will remain open. A new incident will not be created until the previous one has ended.
This page has some good information: