This documentation supports the releases of BMC Helix Service Monitoring till September 2021 (21.3.03). Documentation for later versions is available in the BMC Helix AIOps documentation space. To view the documentation, select a version from the Product version menu.

Policy-based situations

A  situation comprises events associated with the same or different host that are aggregated based on their occurrence, message, topology, or a combination of these factors. Events are collected from multiple sources across infrastructure, application, and network resources available from various monitoring solution vendors.

As a tenant administrator or a custom user with manage situations permissions, you can create a policy-based event aggregation to:

  • Derive actionable insights.
  • Investigate the aggregated events.
  • Reduce the event noise.
  • Improve the mean time to resolve (MTTR) based on the situation driven workflow.
  • Lower the mean time to detect or discover (MTTD) and the time required for investigating tickets.

Policy-based situations

The policy-based (also known as rule-based) situation uses a correlation event policy created in BMC Helix Operations Management to aggregate events and identify situations in the system. 

Related topics

Roles-and-permissions

Monitoring-and-investigating-policy-based-situations
Correlating events
Performing event operations
Creating a correlation event policy

ML-based-situations

Illustration

The following diagram shows how the Situations are created from the raw events:

situations_workflow_2102.png

Example

If a host is shut down, you will receive numerous events related to various applications running on that host.

In this scenario, you can create a correlation policy to aggregate all the events with the same host name: Host_1

Events received:

  • Unable to authenticate application1 at <hh:mm:ss>
  • Process down at <hh:mm:ss>
  • Memory utilization > 20% at <hh:mm:ss>
  • Memory utilization > 60-80 % at <hh:mm:ss>
  • Longer time to load app at <hh:mm:ss>

Derived Situation from the example scenario:

Server is down at <hh:mm:ss>.

Example

If a host is shut down, you will receive numerous events related to various applications running on that host.

In this scenario, you can create a correlation policy to aggregate all the events with the same host name: Host_1

Events received:

  • Unable to authenticate application1 at <hh:mm:ss>
  • Process down at <hh:mm:ss>
  • Memory utilization > 20% at <hh:mm:ss>
  • Memory utilization > 60-80 % at <hh:mm:ss>
  • Longer time to load app at <hh:mm:ss>

Events received:

  • Unable to authenticate application1 at <hh:mm:ss>
  • Process down at <hh:mm:ss>
  • Memory utilization > 20% at <hh:mm:ss>
  • Memory utilization > 60-80 % at <hh:mm:ss>
  • Longer time to load app at <hh:mm:ss>

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*