BLOG

Reducing noise: Configuring Alert Processing with Terraform

Marko Simon

December 10, 2024

Share this article:

Table of Contents:

With increasing numbers of alerts, keeping focus on the important and most critical alerts proves to be more and more of a challenge. A reduction of alert noise, meaning the prevention of too many created alerts and any kind of user notifications, is needed to ensure efficient alert response. While a detailed explanation of this topic is given in this blog post, a flexible and automated setup for your relevant resources can be achieved with Terraform using the ilert Terraform provider.

Resource creation via Terraform

For this example, we will create a Grafana alert source while referencing another, already created escalation policy with a data source.

‍


data "ilert_escalation_policy" "engineering" {
  name = "Engineering"
}

resource "ilert_alert_source" "grafana" {
  integration_type  = "GRAFANA"
  name              = "Grafana"
  escalation_policy = data.ilert_escalation_policy.engineering.id
}

‍

We can route incoming events, depending on their title, to different escalation policies by defining a routing template to set a routing key.

‍


  routing_template {
    text_template = "{{ title.splitTakeAt(\" \",0) }}"
  }

‍
‍Setting up support hours helps to prevent notifications outside of working hours while motivating actions during those hours by keeping high alert priority.

‍


resource "ilert_support_hour" "engineering" {
  name = "Engineering"
  timezone = "Europe/Berlin"
  support_days {
    monday {
      start = "09:00"
      end = "17:00"
    }
    tuesday {
      start = "09:00"
      end = "17:00"
    }
    wednesday {
      start = "09:00"
      end = "17:00"
    }
    thursday {
      start = "09:00"
      end = "17:00"
    }
    friday {
      start = "09:00"
      end = "17:00"
    }
  }
}

‍

Assign these support hours to the alert source and set this alert priority rule.

‍


  support_hours {
    id = ilert_support_hour.engineering.id
  }
  alert_priority_rule = "HIGH_DURING_SUPPORT_HOURS"

‍

You can further create a mapping for the resulting alert priority by defining a template and mappings depending on event keys, such as “state.”

‍


  priority_template {
    value_template {
      text_template = "{{ state }}"
    }
    mapping {
      value = "alerting"
      priority = "HIGH"
    }
    mapping {
      value = "pending"
      priority = "LOW"
    }
  }

‍

A flexible and efficient way to filter out incoming events is the Event filter. It allows for complex conditions and checks in many event fields and properties.

‍


event_filter = "(event.customDetails.title in [\"FIRING\"])"

‍

Another simple but effective way to reduce noise is alert grouping, either via time-based or AI-based grouping.

‍


alert_creation = "INTELLIGENT_GROUPING"
score_threshold = "0.75"
alert_grouping_window = "PT1H" # 1 hour

‍

Lastly, an auto-resolution timer may be set to prevent “dead” alerts (alerts in a “pending” or “accepted” state over a long period of time).

‍


auto_resolution_timeout = "PT6H" # 6 hours

‍

The full script with all resources from above can be found in our public terraform playground.

‍

Open Preferences

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Reducing noise: Configuring Alert Processing with Terraform

Resource creation via Terraform

Other blog posts you might like:

ISDN Alarm System - Switch to VoIP

Engineering an AI Proxy for ilert

How the ilert Team Achieved a Seamless Migration from Community MySQL to AWS RDS Aurora with Minimal Customer Impact

The solution for operation teams.