We received a critical alarm but did not get an e-mail from SANM notifying us of the issue. Can you help me understand this alarm and why it's not included in SANM?
This article will help explain how filters are processed in Spectrum Alarm Notification Manager (SANM) so you can effectively trouble shoot why an alarm may not have passed a filter for processing by AlarmNotifier.
When an alarm is processed through a SANM filter, the details of the alarm and the associated model are used to compare against the filter details.
When looking at the filter configuration (see image below), reading across the tabs uses a logical "AND". Example: Landscapes "AND" Severity "AND" Device Type "AND" Collections etc.
Reading down through the individual tab uses a logical "OR". Example: In the Severity tab below: Critical "OR" Major "OR" Minor.
Only those alarms that pass a filter will be forwarded to AlarmNotifier for processing.
NOTE: The alarm is processed by ALL filters in the policy. It is a common misunderstanding that once an alarm passes a single filter, the rest of the filters will not be tested. Again, that is incorrect. The alarm will be processed by ALL filters and could pass through multiple filters.
To trouble shoot the issue, note the information about the alarm and the model that are used by the filter. IE Landscape, Severity, Device Type, Collections, Topology, Alarm Type, Model Type, Location, Organization, IP Address/Range and Model Name. Then, compare that information against the configuration in each of the associated tabs in the filter.
HINT: To make it easier for the data collection, check the "Show only filtered by parameters being used" check box to see what data is being used by the filter.
Age Time: After comparing the information from the alarm and the model against the filters, you may find the alarm passed a filter. If that is the case, you also need to look at the "Age Time" configured for the filter. It could be the alarm does pass the filter but was cleared before the Age Time expired. In the below example, the event associated with the alarm shows the alarm cleared a little over two minutes after it was created. In this case, even if the alarm met the criteria of the filter it would not have been sent to AlarmNotifier because the "Age Time" for the filter was set to 5 minutes.