Alarm Batching
Introduction
The Alarm Batching feature consolidates multiple alarm notifications into periodic batch emails, reducing alert fatigue while maintaining critical alert visibility through intelligent bypass mechanisms. Introduced in Eyeglass 2.14, this feature allows Eyeglass to collect alarms over a defined period and send them in a single summary email instead of sending individual notifications.
Alarm Batching helps administrators manage notification volume more effectively by:
- Grouping related alarms into a single email
- Reducing inbox clutter from high-frequency alarms
- Maintaining immediate notification for critical alarms through bypass rules
- Providing flexible configuration options to match your operational needs
Configuration Commands
Enable Alarm Batching
Enable alarm batching globally and start the batching service.
igls adv alertbatching set --enabled=true
What happens:
- Starts processing alarms into batches
- All alarms (except those bypassed) within a configurable period will be gathered together and sent in one batch email
- This batched email is sent every 5 minutes by default, although this can be configured to a longer or shorter period
Disable Alarm Batching
Disable alarm batching globally, flush pending batches, and shutdown the service.
igls adv alertbatching set --enabled=false
What happens:
- Flushes all pending batches (sends them immediately)
- Disables batching in configuration
- Future alarms will be sent individually
Set Batch Window
Controls how long to wait before sending a batch (in seconds). Valid range: 60–3600.
igls adv alertbatching set --window=900
What happens:
- All alarms within this time period will be batched
- Every 900 seconds, a new batched email will be sent
Set Maximum Batch Size
Controls the maximum number of alarms in a single batch. Valid range: 10–500.
igls adv alertbatching set --max-size=150
What happens:
- When a batch reaches this size, it's sent immediately regardless of the batch window
Bypassing
Some alarms might need to be received immediately and cannot wait for the batch email to be sent. In that case, you can set a bypass. There are three types of bypass.
Global Critical Bypass
Bypasses ALL critical alarms, regardless of alarm code. All critical alarms are sent immediately.
igls adv alertbatching set --critical-bypass=true
igls adv alertbatching set --critical-bypass=false
Unconditional Bypass List
Bypasses certain alarm codes. Any alarm codes in this list will be sent immediately, regardless of severity.
Add a code:
igls adv alertbatching add --code=SCA0004
Output:
{
"success": true,
"message": "Alarm code SCA0004 added to unconditional bypass list."
}
Use case: For high-priority alarms that should never be batched (e.g., security alerts, system failures).
Remove a code:
igls adv alertbatching delete --code=SCA0004
Output:
{
"success": true,
"message": "Alarm code SCA0004 removed from unconditional bypass list."
}
Clear all codes:
igls adv alertbatching delete --type=bypass --all=true
Output:
{
"success": true,
"message": "Cleared 3 alarm codes from unconditional bypass list."
}
Critical-Only Bypass List
Bypasses specific alarm codes ONLY when severity is CRITICAL. Any alarm codes in this list, if they are critical, will be sent immediately.
Add a code:
igls adv alertbatching add --code=SCA0123 --critical-only=true
Output:
{
"success": true,
"message": "Alarm code SCA0123 added to critical-only bypass list."
}
Use case: For alarms where critical instances need immediate attention, but minor/warning instances can be batched.
Remove a code:
igls adv alertbatching delete --code=SCA0123 --critical-only=true
Output:
{
"success": true,
"message": "Alarm code SCA0123 removed from critical-only bypass list."
}
Clear all codes:
igls adv alertbatching delete --type=criticalbypass --all=true
Output:
{
"success": true,
"message": "Cleared 2 alarm codes from critical-only bypass list."
}
Full Status
Full status of the alarm batching configuration can be seen through the following command:
igls adv alertbatching
Output includes:
- Global enabled/disabled status
- Configuration settings (batch window, critical bypass, max size)
- Unconditional bypass alarm codes list
- Critical-only bypass alarm codes list
- Statistics (batches sent, alarms batched, reduction percentage, active batches)
Example output:
Alert Batching Status
============================================================
Global Status: ENABLED
Configuration:
Batch Window: 600 seconds (10 minutes)
Critical Bypass: Enabled
Max Batch Size: 100 alarms
Bypass Alarm Codes (Unconditional):
- SCA0004 (always bypasses, any severity)
Critical-Only Bypass Alarm Codes:
- SCA0123 (bypasses ONLY when CRITICAL)
Statistics (since last restart):
Batches Sent: 42
Total Alarms Batched: 567
Alarms Bypassed: 89
Reduction: 85%
Current Active Batches: 3
============================================================
Best Practices
When configuring alarm batching, consider the following recommendations:
Start with conservative settings:
- Begin with a shorter batch window (5–10 minutes) and adjust based on alarm volume
- Monitor the reduction percentage to ensure you're achieving meaningful consolidation
Identify critical alarms:
- Review your alarm codes to determine which require immediate attention
- Use critical-only bypass for alarms that only need immediate notification when severe
- Reserve unconditional bypass for truly urgent alarms
Monitor effectiveness:
- Regularly check the status output to review statistics
- Adjust batch window and max size based on operational needs
- Consider team feedback on notification timing and volume
Maintain visibility:
- Ensure critical security and system failure alarms are properly bypassed
- Balance between reducing noise and maintaining awareness of important events
- Document your bypass rules for team reference
See Also
For a full list of alarm codes and descriptions, see the Alarm Codes Reference.