Investigating Alert Storms

For general, real-time monitoring of alerts, use the Active Alerts view. Make sure Scope is not active and hiding alerts. For more information, see How to Change Scope.

Check for large numbers of alerts when your network undergoes changes. Monitor closely when you install a new management pack.

Operations Manager offers reports that can be useful in identifying alert storms. From an Operations console with access to a reporting server, look at the Microsoft Generic Report Library. The reports Most Common Alerts and Most Common Events help identify high-volume alerts.

If you are getting a large number of alerts that do not point to issues in your managed systems, you need to modify the monitors or rules that create those alerts.

View active alert details in the Monitoring workspace. Alert Details specifies the monitor or rule for an alert.

Modify the monitor using overrides. The procedure for overriding rules is the same as for monitors. See how your overrides affect the amount of alerts and continue to fine-tune the monitors as necessary. For more information, see Tuning Monitoring by Using Targeting and Overrides.

Rules offer the option of suppressing duplicate alerts. A suppressed alert is not displayed in the Operations console. Each suppressed alert increments the repeat count for the alert that is displayed. You can examine the repeat count in the properties for an alert.

Operations Manager suppresses only duplicate alerts as defined by the alert suppression criteria. Fields stated in the suppression criteria must be identical for the alert to be considered a duplicate and suppressed. An alert must be created by the same rule and be unresolved to be considered a duplicate.