Suppressing multiple policy executions
You can define a policy that executes its actions when no prior compliance violations have been logged in the past minute. This helps to suppress multiple notifications (or auto-remediations) when a single change introduces multiple violations.
To suppress multiple policy executions by using a keyword
- Create a keyword for detecting compliance violations (for example, Compliance Violation Detected).
- Create two conditions that use this keyword — one is non-triggering and the other is triggering.
- Non-triggering condition (for example, Compliance Violation Past)
- Triggering condition (for example, Compliance Violation Detected Now)
- Non-triggering condition (for example, Compliance Violation Past)
- Create a policy (for example, Compliance Violation) with the policy conditions to trigger actions (for example, notify and auto-remediate) only when no other compliance violations have occurred in the last minute.
To suppress multiple policy executions by using Execution Delay
Another technique for eliminating unnecessary policy executions is to enable the Execution Delay option in an event-based policy. When the delay is enabled, a policy does not run the moment that it is triggered. Instead it delays its execution (actually, the execution of the job that it creates) for the specified number of minutes. If another identical trigger on the same device occurs while the job is still waiting to run, that trigger is ignored. Once the delay expires and the job runs, a new trigger again causes the policy to run again. See Adding-or-editing-a-policy.
For example, if you are in a change window and are manually manipulating the settings in an IOS device, you might be going in and out of config mode numerous times. Each time you exit config mode, a syslog message is sent to the server, which triggers the Auto Archive policy. If you do not want every exit of config mode to trigger an Auto Archive execution (and create a new configuration), you can edit the Auto Archive policy and enable the delay. This reduces the quantity of small incremental changes that appear in the configuration history.