Alarm Blacklisting

Alarm blacklisting is a process in which certain alarms can be given a lower (or higher) severity rating than is initially determined by the correlator. Blacklisting was originally introduced to hide certain alarms from the dashboard (hence the name), but has evolved over time to be a general method for changing the severity of an alarm.

A blacklist consists of a filter, a priority and a severity, along with some metadata. The filter contains boolean logic to determine whether or not a blacklist applies for a particular Alarm. Blacklists are created by users in Geant Argus. Below is an example filter comring from Geant Argus:

{
  "version": "v1",
  "type": "group",
  "operator": "or",
  "items": [{
      "type": "rule",
      "field": "description",
      "operator": "contains",
      "value": "62.40.96.23"
    },
    {
      "type": "rule",
      "field": "description",
      "operator": "contains",
      "value": "62.40.96.24"
    }
  ]
}

This filter matches an alarm when the description contains either the text 62.40.96.23 or 62.40.96.24. The filter begins by specifiying a compositeFilter tag, stating that multiple rules follow. The two standardFilter tags describe the key description and the value to match for. The not tag, speficying whether to positively or negatively match an alarm is set to false, indicating a postiive match. The compositeFilter then specifies the internalOperator to be or which means that any of the above filters must match.

When an Alarm exits the PENDING phase, it is tested against all blacklists in the system to see if there are any matches. All matches are recorded in the database. If there is at least one match, the winning blacklist is determined. This is the matching blacklist that has the lowest priority value. The DashboardAlarm.argus_blacklist_severity is then updated with the blacklist’s severity. If no blacklists matches, the argus_blacklist_severity is not updated. As of April 2025: In a future release, the blacklist severity will be called final_severity again and will always be set on alarm finalization. If no blacklists matches, this field will have the value of the original severity