Description
This article explains the behavior of merging alerts or incidents in FortiMonitor.
Scope
Any supported version of FortiMonitor.
Solution
Alert Merging
Alerts are often processed in batches by FortiMonitor to reduce alert fatigue on notification recipients. Merged alerts that are received will resemble the captured email alert below. Note that highlights of different colors have been used to illustrate the different threshold breaches that have been combined into a single alert email.
Alert Merge Logic
The internal logic that governs which alerts are merged is outlined in the table below.
| Alert Type | Merge Logic |
|
- SMS - Voice |
If multiple incidents are detected, queued to be sent within 30 seconds of each other, and alerting to the same timeline: these alerts will be processed as a batch, merging the alerts. |
|
- Webhooks - Other Integrations |
Incidents producing alerts through webhooks and other integrations will generate an individual alert for each incident, ignoring the merge logic described above. |
Incident Merging
Incident merging only occurs when multiple network checks on the same instance (typically a network device) are confirmed within approximately 10 minutes of each other. These individual occurrences will be batched into a single incident located in the Incident Hub in the control panel. This helps to reduce additional alert fatigue when dealing with incidents like those caused by intermittent network traffic loss and related issues.
Availability Impact
As shown in the flowchart above, only the first incident is used to calculate availability when incident merging occurs. Subsequent incidents will not impact availability metrics. Aggregated details regarding instance and metric availability are provided by the availability report.
