This post is more than 5 years old
1 Rookie
•
34 Posts
0
51948
December 12th, 2014 00:00
Support Assist Alert Threshold
Hi,
This is Sushma. I have installed Support Assist in my environment . Since I am very new to this tool, I have setup this by reading various documents. I am struck up at a particular point and I appreciate if someone could guide me correctly. I need clarifications on few of the things and they are as follows:
- Based on what criteria will Support Assist create a case?
- How many time an alert should occur and in what frequency should it occur for a case to be created?
- A case will be created for what type of alerts?
- Say suppose a case has been created in the midnight for a critical alert and I may not see it, so will Dell Technical Support person call me immediately and inform me on this?
Please help me on this.
Thanks in advance for your help!
Regards,
Sushma.
No Events found!
jbilinski
5 Practitioner
•
146 Posts
0
December 29th, 2014 07:00
Sushma,
Not sure of the exact definition of the EventSourceType, the best way I can explain it would be that each device is categorized as a different types. (Server, Storage, Network)
The EventSource defines the Event type, per the Dell MIB.
I found a definition from an older 1.3.1 user guide.
EventSourceType is basically the SNMP Enterprise OID – “Provides the enterprise OID (SNMP OID prefix) of the management information base (MIB) file that defines the event source that you want to monitor.”
This value in combination of the TrapID and EventID determine the policy threshold.
In your case, if you pulled the power cord and it generated an alert, you can plug it back in, wait, and pull the power cord again to generate the second alert.
In your last example, 5 alerts and 5 hours a case wouldn’t be created on the first alert. The alert is sent to Dell, stored in a table and once the 5th alert comes in, then it will create the case. If 5 hours pass, the table will be deleted and the threshold will start over at 1.
You can post the details (trapid, eventId and eventsource) here if you want me to double check the policy file on the server.
jbilinski
5 Practitioner
•
146 Posts
0
December 12th, 2014 06:00
Sushma
If you view the Policy File in SupportAssist this will give you a better idea of what type of alerts will create a case.
The Policy.xml file is located under:
C:\Program Files (x86)\Dell\Dell Integrated Support\bin\conf
Inside the policy file you will find two key attributes. Autocase and AlertThreshold
When an alert comes into SupportAssist from OME it checks this file, if the trapid/eventid combo is not in this file the alert is filtered out. If an alert is in the file then the alert will be sent to the SupportAssist server. It will only have the potential to create a case for alerts that have the “AutoCase” flag equal to Yes. If there is no autocase flag the alert is sent for informational purposes only.
Once the alert is sent to the server it will create a case based on the AlertThreshold.
For example some alerts have a threshold of FirstMatch, meaning only one alert of this type will create the case.
Another example could be Occurs(5,00-05:00:00), which is 5 alerts in a 5 hour span.
Critical alerts created after midnight or anytime you will receive an email about the alert and usually a tech support representative will contact you within 4 hours. Contact is based on the preferred method of contact which could be Email or Phone. The case will be displayed on the cases tab in SupportAssist. Any additional alerts on that device will not create a new case if one is open, it will only appended the alert details to the open case. When a case is created tech support diagnostics should run on that device and be uploaded to Dell provided the credentials are entered on the Settings page.
Please review the file and let me know if you have any additional questions
Joe
SushmaMurali
1 Rookie
•
34 Posts
0
December 17th, 2014 03:00
Hi Joe,
Thanks a lot for your reply! It gave me a better idea of the working of SA .
I have gone through the policy.xml file as said by you and have a clarification. Hope you could help me.. :)
In the policy.xml file I see a tag as Delta Severity with some number as the value of it say 2,3.
I could understand that based on this Delta Severity the Dell technician would work on the case.
If possible, can you brief me what does Delta Severity with 2 means and Delta Severity with 3 means?
Apart from that what is the purpose of Resolution Type flag in the poilcy.xml file?
Thanks in advance for your help!
Regards,
Sushma.
SushmaMurali
1 Rookie
•
34 Posts
0
December 18th, 2014 03:00
Hi Joe,
Hope you are doing great! I have another question apart from above.
I have gone through Dell Support Assist Reference Guide and found below comments:
"Dell may change a policy for a specific alert within the alert policy file for either the SupportAssist application or back-end infrastructure at Dell. This may be done from time to time, as Dell Technical Support and Engineering continue to incorporate experience from support case data with all customers."
When they polcy file is changed from time to time, does that mean it changes frequently, is it not a static one? If it changes, how frequently does it change?
Thanks & regards,
Sushma.
jbilinski
5 Practitioner
•
146 Posts
0
December 18th, 2014 11:00
Hi Sushma,
Sorry for the delay. I don’t actually work on the incidents that get created from SupportAssist so I had to reach out to some contacts to provide you with some answers.
Here is the feedback I received.
“The severity and Resolution Type fields do not directly impact whether a support case should be automatically created, but provide some context and information to the tech support team as they get oriented to the issue.
I believe the ProSupport Service description provides some customer facing information regarding what the severities mean. In general, we default the severity for all SupportAssist cases to Sev 3. At first contact, we obtain additional information to understand the impact of the alert to the customer’s environment and update the Severity accordingly.
The resolution types give the tech support team some information and direction on the resolution steps or actions necessary for the alert.
FA = Further Analysis. This means that the technician will need to analyze logs and review information, as potentially several root causes may be driving the alert.
DP = Dispatch. We know this alert has a higher likelihood of a part dispatch for a specific commodity. This message provides a more direction to tech support on the level of information needed before the dispatch is submitted. “
For your second question. I do not see policy changes happen all that often. New policies may be added with new releases but changes to existing policies are unlikely to change but are possible. I personally have seen one case where the threshold was at Occurs(10,00-01:00:00), which is 10 occurrences in 60 minutes.
When working with the client these alerts were not creating a case due to the fact SupportAssist would go into maintenance mode after the 9th alert and come out of maintenance mode in 30 minutes only to clear the threshold back to zero. So the team changed the policy to Occurs(5,0-01:00:00), 5 alerts in one hour to accommodate this case.
Hope this helps
Joe
SushmaMurali
1 Rookie
•
34 Posts
0
December 24th, 2014 06:00
Thanks Joe for your information! It helped me.
Another new question for which I need your help again.. :)
In my environment, I created an excel sheet out of the policy.xml file for easy reference, so that i can easily find the combo of trap id and event id and come to know as when a case would be created(for my reference purpose). Now I am clear with the fields Delta Severity and Resolution type. There is another filed i.e. Event Source Type, what does that mean? I see some value like .1.3.6.1.4.1.674.10892.1 which is constant throughout the policy.xml file. So if policy.xml file changes(either existing one or adding new one with new releases) will we be notified about it? If so, how?
I have seen one alert in the policy.xml file as below:
ClientType EventSourceType TrapId EventId Severity Description AutoCase AlertThreshold
OME .1.3.6.1.4.1.674.10892.1 1306 MAJOR Redundancy has been lost. Yes Occurs(2,03-00:00:00)
Say I have pulled out the cable from one of the server so it is a redundancy lost. As per the alert in the policy.xml, it says that a case will be created for this scenario when there are 2 alerts in previous 3 days. Here comes my doubt, if the power cable has been pulled out, it's for sure there is going to be an alert sent, how and when the second alert will be sent? and how a case would be created in this scenario. I want to know the reset value.
Hope my question is clear, if not please let me know i shall explain it clearly.
Thanks in advance for your help!
Regards,
Sushma.
SushmaMurali
1 Rookie
•
34 Posts
0
December 26th, 2014 06:00
Joe,
Today I performed a test on one of the server in my environment, I pulled out the power cable from one
of the server, as soon as I pulled out the cable I received an alert saying that the "Power Supply AC
Lost". For this alert , based on the TrapID and Event ID I have checked the policy.xml file and found that
for this combination of Trap ID and Event ID , it says an autocase would be created if there occurs 5
alerts in previous 5 hours, but so far i received only 1 alert and 5 hours has been passed, no case has
been created for this. Why this has happened? Polling in OME is by default for an hour, but I did not
receive an further alerts, neither a case has been created.
Please let me know ..
Thanks & regards,
Sushma.