Group includes items a Rule should exclude in Performance Management.

Events are being raised for interfaces that should not raise Events. The Event Rule is in a Threshold Profile associated to a Group where the Rules are configured to exclude the interfaces raising Events.

The Events are accurate but the interfaces are not ones that need to be monitored for Event raise.

A Group was created with the "Include the children of managed items" option enabled. Then Devices were added as Direct members. A Rule was then created to exclude target interfaces, in this case Tunnel interfaces. In that situation the target items will still be members of the Group, somewhat 'virtual' members through inhertance, rather than 'real' members via direct addition. When that Group is associated to the Threshold Profile Events are raised against the items since only directly added items are excluded from Group membership via Group Rules.

To validate the cause, we should see the items set for exclusion via Rule as Group members only when listing Inherited items in the Items tab for the Group. They should not also appear when listing only Direct items. They would appear if using the "Direct and Inherited" option.

All supported Performance Management releases

With the Group already configured in this way we can resolve this by:

1. Remove the check mark from the box next to the "Include the children of managed items" option to disable it.
2. Save the change to the Group.
3. Go to the Rules tab and select the Run Rules button.
4. Review the Inventory to confirm we only see Direct item options.
   • There should be no option to list Inherited items as there should be none.
   • Confirm the unwanted items are excluded by validating they appear only in Excluded item lists and not in Direct Items item lists.

Key facts to consider when creating new Groups.

1. Only items added as Direct items can be filtered by Rules to appear in the Excluded list.
2. When adding Devices to a Group as members, allowing the "Include the children of managed items" option to add the children component items, those child items are added to the Group as 'virtual' members.
   • Their IDs aren't listed as direct members of the Group in DB tables.
   • They are referenced as members when needed via database query join statements that look to other tables to find the items that are considered Inherited.
   • The enabled Include option triggers the search in those other tables for inherited items, children of the directly added device items.

As an example, adding a Router Device to a Group membership manually, where the Include option is enabled, will add that devices interfaces as Inherited items. The Routers ID is added as a direct member of the Group in the database tables that define the group and it's membership. When the Group is used in the UI, the Include option being enabled triggers things like Reports or Event Rules to look for those related child items to include them.

If we then try to exclude interface items from this Group membership with Rules, when viewing Direct items it will appear they are removed. When then viewing Inherited items for the Group they'll still appear to be members due to the Include option enabled.

The correct way to create a Group with Excluded items, using interfaces as an example, would be first creating a Group without the Include option enabled. Then create a Rule that looks at all Interfaces, or an existing Group of Interfaces for an Inventory source. Then further configure the Rule to exclude the interface items not wanted for Group membership. As an example, if the rule is based off the default "All Groups->Inventory->All Items->Interfaces" it would look at all interfaces in inventory, and then add or exclude on those that match the rest of the configured rule details.