Control Notification Frequency With Thresholds

What happens when you get the same email over and over and over? If you’re like most of us you get annoyed. And if it persists you could find yourself falling into the “Little Boy Who Cried Wolf” effect as you begin to ignore them altogether.

Monitoring busy IT environments can yield similar results – being overwhelmed with too many notifications saying the same thing over and over again to the point where you may begin to ignore them and potentially miss some of the more critical ones. In this tech tip article we’ll dust off and revisit an old article on how to use threshold settings to control notifications.

Thresholds determine how many times identical events can occur before a Notification Method will be executed, or stopped from executing. It is important to identify what increments the event counter. For example consider this sequence of events.

You probably don’t want the ping failure suppressed by chatty printer messages. ELM handles this by incrementing only for identical events; that is, events that have the same four fields

• Computer Name
• Source
• User Name
• Event ID

There are three main threshold settings available in ELM: Disable, Activate and Consolidate as seen in this properties screen.

The first threshold setting will allow you to receive the first few notifications that occur within the specified time period, then disable the notification for a set period before automatically re-enabling it again. This basically allows you to get the first few messages that you specify you want, then staggers the messages or creates a “sleep period” giving you time to take corrective actions.

This setting option allows you to activate the notification method only after it is triggered a specific number of times within a specified time period. By default this is set to activate after occurring just one time. When this threshold is selected, the notifications will not be processed unless the rule is triggered the specified number of times within the time period selected.  For example, if you set this to activate only after being triggered 3 times within 10 seconds for a logon failure, then you’ll get notified for one out of every three times that a logon failure occurs within 10 seconds.

This option can be used to consolidate notifications for barrage or “event storm” protection. If you are expecting potentially hundreds of messages in a short amount of time then this is a good option to use. It can be set to a specified number of similar events that occur or to a designated amount of time passing.

The final option within threshold settings is to disable this notification method for all Cached (old) data sent from a Service Agent. By default, 60 minutes is the window of time differentiating old data from new data. If an event occurred within the last hour, even though it may be from a Service Agent cache file, ELM will not treat it as (old) cached data. This feature is designed to account for and notify you of events that occur during a brief ELM Server outage such as a reboot, service restart, etc. The 60 minute window of time can be changed in the CacheDataTrigger value in the Registry on the ELM Server.

Modifying your threshold settings within the various notification methods helps you to fine tune the information you are receiving from ELM and can help to narrow down the number of notifications you receive that you may not need or want.

You can also create unique schedules with different notification types and rules for further fine tuning (ie. emails during workings hours, pager notification after hours).

We hope that you found this article on Control Notification Frequency With Thresholds useful and wish you continued success with ELM.