cancel
Showing results for
Show  only  | Search instead for
Did you mean:

## Incident rule with many measures (OR/AND) doesn't triggers if one AND is not met

Newcomer

Hello,

I have an incident rule with many OR conditions. I want to add 2 measures that are tied together (AND)

My rule looks like this:

• Web Request Count == 0 OR
• ResponseTime > 5000 OR
• FailedTransactionPercentage > 10% AND
• FailedTransactionCount > 20

The logic would be ( WebRequestCount || ResponseTime || ( FailedPercentage && FailedCount) ) but it doesn't act that way. It never triggers if the AND is present, I tried to put them at the beginning or at the end, no result.

Is there a way to make it work without having to duplicate the incident rule, one with the OR conditions, and the one with AND ?

4 REPLIES 4

I just avoid combining and/or logic with incident rules. I don't fully understand how it evaluates them (I've heard it described as sequential) but have never gotten it working as you would expect. If you search older posts you'll likely find similar experiences by others. If possible I would just create separate rules to avoid mixing them.

James

Hello @Yann A.

As @James K. said that the understanding can be a bit tricky but I believe if we understand the below theory accordingly then the should gain the desired results.

Multiple conditions can be concatenated logically. When the condition is evaluated, no operator precedence (AND stronger than OR) is applied:

• If the first FALSE condition is followed by an AND concatenation, then the complete expression evaluates to FALSE.
• If the first FALSE condition occurs after an AND concatenation, then the complete expression evaluates to FALSE.
• If the first TRUE condition is followed by an OR concatenation, then the complete expression evaluates to TRUE.

For example:

• true AND false OR true — evaluates to false
• true OR false AND true — evaluates to true
• true OR false AND false — evaluates to true
• false AND true — evaluates to false

If measures are combined with AND, their splittings have to match. If the first condition is violated by a measurement from an Agent, and the second condition is violated by a measurement from a different Agent, the combination will not be seen as violating.
The matching takes into account the available splittings of each measure. For example, if an agent-based measure is combined with a monitor-based measure by the AND operator, it will only need matching hosts. Similarly, if one of the measurements is agent-based and the other is host-based (the example screenshot above shows such a scenario, as Current CPU load is agent-based and CPU Total Time is host-based), only the host will have to match.
Some measures might contain additional splitting information beyond Agent/host/application, for example Garbage Collector type. If both relevant measures have these splittings, the splitting values must match; if only one of the involved measures do, the values will be ignored.

Regards,

Babar

Pro

Hello, Yann, It is always best to break the multiple violations in separate incidents. Since the evaluation (as of now) doesn't deals with priority or associativity and also in-favourof server performance. Also, you can export such idempotent incidents as JSON using plugin for the further application of "intelligence".

Newcomer

Thanks for the replies.

@Babar Q. , I already read the documentation but it is not very clear. The way it manages logical operator is not very logical.

I like to have one incident rule for a specific service, whichever violation occurs. But I guess I will have to split them to achieve what I want.