Troubleshooting Tip: How to investigate why an incident is not triggered by a rule

Step-by-step guide:

1. Identify the Rule that did not trigger and did not create an Incident.
2. Ensure the Rule is active, and active for the Organization(s), if relevant.
3. Assure that the Device involved is not in Maintenance mode (check Maintenance Calendar).
4. Check the value of Allow Incident Firing On (Admin -> General Settings -> Monitoring page).  If set to Approved Devices Only, then check in CMDB to make sure the device is Approved.
5. Review the sub-pattern conditions.
6. Review any exceptions defined in the rule.
7. Run a historical search with the EXACT same criteria and Group By as the rule sub-pattern conditions and for the time window that incident should have been created.

    

   1. Check for any matched events.

   2. Check if the required number of matched events correspond to the rule

8. If exceptions are defined, then rerun historical search from 7 while adding the exclusion conditions to the criteria.

   1. Check if there are any matched events.

   2. Check for the number of matched events. Check if the queries return the required number of matched events from the rule.

   3. Check if these matched events are within the time window of the rule.

9. Copy the original non-parsed "raw event" from an example event to the clipboard and use it to test the rule, using the Test Rule functionality (Note: this only works at Super level and with a rule that is inactive). Test whether it passes the test and creates an Incident.

10. If everything above supports that the rule should have fired and created an incident, create a support case and provide the following information:

• Raw event export from step 7.
• Rule export XML.
• Screenshot of any exceptions, if they are defined.
• Full AO logs from Super (and Workers if applicable)

See the related article below for more information.