Alerts are sending emails over and over

I am getting over 800 emails a night with the same ticket info:


"computer" at Main has Blacklisted Event.2019-06-04 15:29:37: The device, \Device\Harddisk1\DR1, has a bad block. Critical hard drive errors have been detected on your computer. Please contact support to have this issue addressed and remediated.

ClientID:63 ComputerID:1571

Why is the system creating a new ticket for this alert every few minutes?  Does the monitor create a new ticket for each bad block that it finds?  How do i make it stop?!



The monitor will generate a new alert for every event it finds.  If you are getting the alert over and over, then the event is being logged over and over. That said, typically an event alert that creates a ticket should update an open ticket with any additional events it finds. It sounds like the alert is not configured to create a ticket, it is sending an email.  You need to open computer 1571, check out the remote monitors, and determine what is controlling this monitor, and what alert template it is configured to use. (It is group or plugin controlled, most likely). Then determine if the alert template needs to be reconfigured, or the monitor needs a different alert template assigned, etc. Then update the plugin/group configuration for the monitor.

Is it also possible that this is being generated by an Internal Monitor, in which case the monitor "identity" field determines if two events are treated like the same thing or not. Normally you have to use a script to consolidate events into a single ticket for these monitors. There are some stock scripts, that are triggered by the stock monitors, for these kinds of events. "Monitor Drive Errors and Raid Failures* (117)", "Monitor Disk Blacklist Events - Informational* (246)", and "Monitor Disk Blacklist Events - Warnings and Errors* (308)".  Maybe the monitor was changed from using these scripts to a custom alert template, and that is why you are getting multiple tickets now.

