Alert Correlation

Last updated on 26 February, 2024

Alert correlation is a process of grouping alerts into a single unified incident. Alert correlation offers the following benefits:

  • Identify significant alerts
  • Identify alerts that need further investigation
  • Allows better understanding by providing relationships between alerts from various sources

In Dexda, alerts are correlated into:

  • Insights – Insights are collections of alerts that have been automatically grouped. Insights are displayed in dashboards and can be further investigated through inspection views. Insights have a lifecycle that completes when an insight is set to closed. An insight can be closed through automation or manually from the user interface. 
  • Singleton Alerts – When there are no correlations found, similar data that have passed maximum correlation time are combined to form a singleton alert. Singleton alerts are escalated as individual alerts.

New alerts and their updates are the output of LogicMonitor’s Alert Evaluation processing phase. Each alert transaction, such as creation, upgrade, downgrade, and closure, resulting from that phase is processed as a separate event in Dexda.

Alerts in Dexda have their lifecycle represented in a series of escalation states from new through to closed. When a Dexda alert is in an open state, any reoccurrence of a LogicMonitor alert instance will be deduplicated under the open alert. This ensures that alert state is accurately reflected in Dexda, and provides a point of control for correlation and escalation.