The most dangerous alert configuration is not one that misses events. It is one that fires so often for non-events that nobody trusts it anymore. When the operations team has learned to ignore the monitoring inbox because three-quarters of what arrives there is noise, the critical event arrives in the same channel and receives the same response. Which is none.
Alert fatigue is the failure mode that makes monitoring worse than useless. A team with no monitoring knows they have no monitoring. A team with misconfigured monitoring believes they have monitoring while their alert response has effectively been disabled by habituation. The second situation is harder to detect and harder to recover from.
This article covers how alert fatigue develops, what causes it at the configuration level, and the specific practices that reduce noise without reducing coverage. The focus is on SAP environments specifically, where the combination of generic thresholds, complex batch schedules, and diverse component types creates particular challenges for alert design.
How alert fatigue actually develops, and why it is difficult to reverse
The habituation pattern
Alert fatigue follows a consistent sequence that plays out over weeks or months. A monitoring platform is deployed, often with default or lightly customized thresholds. The first days generate a volume of alerts that feels manageable. Some are real conditions. Many are not. The team investigates the first batch, finds that most of the alerts correspond to expected behavior, and starts developing a mental model of which alert types can be ignored.
That mental model is the problem. Once the team has categorized a specific alert type as probably noise, they stop reading it carefully. The alert fires 40 times in a month, none of those 40 are incidents. On the 41st firing, it is a real incident. The team glances at it, pattern-matches to the previous 40, and moves on. The real incident sits in the alert queue unacknowledged.
Reversing this pattern after it has been established is significantly harder than preventing it. The team has learned a behavior. Changing the behavior requires changing the underlying signal quality, which requires reconfiguring thresholds, which requires baseline data and takes time. During that transition period, the team does not know which alerts are now reliable and which are still noise. Trust in the monitoring system has to be rebuilt from zero, alert category by alert category.
Why muted alerts are worse than fewer alerts ?
The response most teams take when alert volume becomes unmanageable is muting. Individual alerts, entire alert categories, or specific systems get muted because they consistently fire without requiring action. The threshold that was misconfigured stays misconfigured. The noise disappears from the inbox. The underlying condition the alert was supposed to catch still occurs, silently, without reaching anyone.
A muted alert is not silent. It is an active decision to stop monitoring a specific condition on a specific system. The decision is made implicitly, under pressure, during a period when alert volume is frustrating the team. It is almost never documented. When the muted condition eventually becomes a critical incident, the post-mortem question of why the monitoring did not catch it reveals that the relevant alert was muted eight months ago during a period when it was generating noise.
The principle that follows from this is uncomfortable but accurate: fewer, well-configured alerts are safer than more alerts that produce noise. A monitoring configuration that covers ten conditions reliably is more operationally valuable than one that covers thirty conditions unreliably. The goal of alert configuration is not maximum coverage. It is maximum reliable coverage.
The problem with default thresholds
What default thresholds are actually calibrated for ?
Default alert thresholds in SAP monitoring tools are calibrated for a generic SAP environment. They are designed to be safe starting points: conservative enough that a genuinely healthy system will not fire them constantly, aggressive enough that a genuinely degraded system will trigger them. They are not calibrated for your system.
Your system has a specific HANA allocation limit, a specific background job schedule, a specific peak user load at a specific time of day, a specific set of interfaces with specific traffic patterns. The generic threshold sits on top of this specific system without knowing any of it. An 80% CPU threshold fires during your MRP run every Monday morning because Monday morning MRP has always pushed CPU to 82%. That is expected behavior. The threshold does not know that. It fires anyway.
The mathematical outcome is predictable. A threshold set at a value that normal operations touch 5% of the time produces an alert rate that, across all monitored metrics and systems, overwhelms the team’s capacity to respond. The team starts ignoring the alerts. The configuration drifts toward the muted state described above.
The 80% problem : how a sensible number becomes useless
Eighty percent is the most common starting point for utilization-based alert thresholds. Dialog work process utilization above 80%, CPU above 80%, memory above 80%. It is not an arbitrary number. It reflects a reasonable intuition that a system using more than 80% of a resource is under meaningful load with limited headroom.
The problem is that 80% has no relationship to what is normal for a specific system at a specific time. A system where dialog work process utilization reaches 85% every day at 09:15 during the morning transaction surge, recovers to 55% by 10:00, and has been doing this for two years has a normal peak above 80%. Alerting at 80% on that system means alerting daily on expected behavior. After three weeks, the operations team has established that the 09:15 WP utilization alert can be ignored. Six months later, when the WP pool actually saturates at 95% due to a rogue process, the alert fires at 09:13 and the team does not look at it until 09:45.
The fix is not raising the threshold to 90%. That just shifts the false positive problem upward. The fix is a threshold calibrated to this system’s actual behavior at this specific time of day, set at a level that is genuinely unusual rather than regularly expected.
Baseline-driven threshold configuration
What a real baseline looks like : distribution, not average
A baseline built from averages is not useful for threshold configuration. The average dialog work process utilization across a business day on a system that runs at 40% most of the time and 88% for 15 minutes every morning is around 48%. A threshold set at 70% of average would be 34%, which fires constantly. A threshold set at 150% of average would be 72%, which fires during the morning peak and nothing else. Neither reflects the actual structure of the metric.
A useful baseline is a percentile distribution of the metric values observed over a representative period, segmented by time window. What is the 95th percentile value for dialog WP utilization between 09:00 and 10:00 on weekday mornings? What is the 95th percentile between 02:00 and 05:00 during overnight batch? These two questions have different answers, and a threshold that handles both needs to be time-aware rather than static.
The practical process: collect metric data at one-minute intervals for four to six weeks, covering at least one month-end cycle. For each metric you plan to alert on, calculate the percentile distribution segmented by hour of day and day of week. Set alert thresholds at the 98th or 99th percentile of normal values in each time window. A threshold at the 99th percentile of normal behavior fires only when the metric exceeds normal by a meaningful margin. The false positive rate drops to near zero. The true positive rate remains high because genuinely abnormal conditions exceed the 99th percentile of normal by definition.
Time-aware thresholds : the setting most configurations skip
Most SAP monitoring tools support time-based threshold variation. Most SAP monitoring configurations do not use it. The result is a single threshold applied uniformly across 24 hours of system behavior that varies substantially by time of day.
The specific places where time-aware thresholds matter in an SAP environment are: background work process utilization (higher during overnight batch, lower during business hours), dialog work process utilization (higher during business hours, near zero overnight), HANA memory during month-end batch (predictably higher than daily operations), and interface message volume (varies significantly between business hours and outside them).
Implementing time-aware thresholds requires knowing the patterns in advance, which requires baseline data. It also requires more configuration work than a single global threshold. The payoff is a dramatic reduction in false positives during predictable high-load windows, which are precisely the windows where the team needs to trust that an alert firing means something real has changed rather than something expected has occurred again.
The minimum baseline period before thresholds are meaningful
Two weeks of baseline data is not enough. The problem is that two weeks may include only one or two occurrences of a specific workload pattern. A month-end close cycle occurs once in any two-week window. An end-of-quarter batch run may not occur at all. A Saturday maintenance window may or may not fall in the two-week period.
Four to six weeks captures most recurring patterns: the weekly batch cycle, at least one month-end, the day-of-week variation in user load, and the variation between the first and last weeks of a business month. Six weeks is the practical minimum for a production system where baseline accuracy matters.
During the baseline collection period, alerts should either not be configured or should be set at values that only fire for clearly severe conditions: HANA log volume above 90%, zero active dialog work processes, failed update service. The purpose of this period is data collection, not alert coverage. Attempting to configure meaningful alert thresholds at day three of monitoring a new system produces the same result as using defaults: thresholds that do not reflect this system’s behavior.
| In practice: The baseline collection period is also the period where the operations team develops intuition about the system. Running for four weeks without configured alerts, instead reading the metric data daily, produces a qualitative understanding of system behavior that is as valuable as the quantitative baseline data. Teams that skip the baseline period because they want alerts configured immediately are also skipping this learning phase. |
Alert severity tiers and routing: getting the right signal to the right person
The binary warning/critical design and its failure mode
Most monitoring configurations use two severity levels: warning and critical. Warning means something to look at. Critical means something urgent. In practice, both often route to the same inbox, where the distinction between them becomes a prioritization signal rather than a routing signal. When 40 warning alerts and 3 critical alerts arrive on the same Tuesday afternoon, the team works through them roughly in order. The critical alerts get attention. The warnings get deferred. Some of the deferred warnings represent conditions that were about to become critical.
A three-tier model handles this more effectively. The first tier is informational: conditions logged for trend analysis but not requiring action. An example is a daily performance summary showing that average dialog response time is within normal range. No action needed. The second tier is actionable: conditions requiring review within business hours, not immediate response. An interface error rate above its normal baseline, a background job running 40% longer than usual, a HANA memory trend that has moved upward this week. These need attention but not necessarily tonight. The third tier is urgent: conditions requiring immediate response regardless of time. HANA log volume above 85%, zero background work processes available, production system unreachable, update service deactivated.
The value of the three-tier model is that it separates the routing logic from the threshold logic. The same metric can have two different thresholds pointing to two different tiers. Dialog WP utilization above 80% for more than 5 minutes routes to the actionable tier: review within the hour. Dialog WP utilization above 95% for more than 2 minutes routes to the urgent tier: respond now.
Routing design: who gets which tier and when
The routing question is as important as the threshold question, and it gets less attention. An urgent alert routed to a general inbox that is checked once per hour is not an urgent alert in practice. An actionable alert routed to on-call engineers at 03:00 for a condition that can wait until morning creates unnecessary disruption and, over time, produces the same habituation response as alert noise.
Routing design requires explicit decisions about three things: who is the correct recipient for each alert type, what is the expected response time for each tier, and what happens when the primary recipient does not respond within the expected window. For urgent tier alerts, the answer should be an escalation chain with defined times: primary contact, escalate to secondary after 10 minutes, escalate to manager after 25 minutes. For actionable tier alerts, the answer should be a team queue with a defined SLA for review.
The part of routing design most often overlooked is the distinction between who should receive an alert and who should respond to it. A critical HANA log volume alert should reach the on-call Basis engineer. It should also reach the business process owner whose month-end close would be interrupted if the system stopped. These are different people with different roles in the response. Routing the same alert to both, with different context in each notification, serves both needs.
The on-call escalation path that has never been tested
Most organizations have an on-call rotation and a documented escalation path. Fewer have tested whether the escalation path actually works end to end. The phone numbers in the runbook may be outdated. The pager integration may have broken when the monitoring tool was updated. The escalation logic may route correctly in the tool’s configuration but produce no notification because the SMTP relay changed.
An escalation path that has never been tested end-to-end under realistic conditions is an assumption, not a capability. Testing it means triggering a real alert, deliberately and in a controlled way, and confirming that the notification reaches the correct person via the correct channel within the expected time window. This test should happen when the escalation path is first configured and should be repeated quarterly thereafter. It takes 15 minutes and surfaces broken configurations before they are discovered during a real incident.
Suppression, correlation, and managing alert volume without losing coverage
Maintenance windows and the alerts that should not fire during them
Planned maintenance activities in SAP production environments generate monitoring conditions that look like incidents: services stopping and restarting, HANA taking over from a primary to a secondary node during a patching cycle, batch jobs not running because the system is briefly unavailable. Without suppression, these activities generate dozens of alerts during the maintenance window, most of which route to on-call engineers who are already executing the maintenance plan.
Suppression during maintenance windows eliminates this noise. The monitoring platform knows the system is in a planned state. Alerts are either suppressed entirely or captured for review after the window closes rather than routing to on-call in real time. The on-call engineer can focus on the maintenance task rather than triaging alerts that are expected consequences of the maintenance itself.
The suppression needs to have an end time. An open-ended suppression that runs past the planned maintenance window means the system returns to production without monitoring coverage until someone manually re-enables alerts. Automatic re-enablement at the end of the maintenance window, with a short re-stabilization period before alerts become active, is the correct behavior. Suppression that requires manual disabling will eventually be forgotten, producing a production system that appears monitored but is not.
Flapping detection: the threshold that gets crossed and uncrossed
Flapping is the condition where a metric crosses a threshold, briefly recovers, crosses again, recovers again. Each crossing generates an alert. Each recovery generates a resolution. The inbox receives alternating alert and resolution notifications while the underlying condition oscillates around the threshold. The team learns that this alert-resolution-alert pattern means “the metric is near the threshold and unstable,” which is a different operational meaning from “the metric has crossed the threshold and the condition needs attention.”
Flapping detection prevents this pattern by requiring that a metric stay above threshold for a sustained period before an alert fires, and stay below threshold for a sustained period before the alert resolves. The sustained period should be calibrated to the normal settling time of the metric. Dialog work process utilization can spike and recover in 30 seconds during a normal transaction surge. An alert that requires 3 minutes of sustained utilization above threshold before firing will not generate flapping alerts during brief spikes but will catch genuine saturation that persists.
The sustained period configuration reduces false positives on fast-moving metrics without reducing coverage on slow-moving ones. A metric that spikes to 95% for 4 minutes is a different situation from one that spikes to 95% for 20 seconds. The alert configuration should reflect that difference.
Dependent alert suppression: one root cause, one incident
When HANA memory reaches critical pressure, a cascade of secondary conditions may follow: delta merges are cancelled to free memory, work processes that were running memory-intensive operations terminate, background jobs that were waiting for those processes miss their start windows, and interface queues start building because the processing capacity that normally handles them is occupied. Each of those secondary conditions can independently trigger an alert.
Without dependent alert suppression, a single root cause produces five alerts that route to the operations team simultaneously. The team opens five tickets, begins triage on each, discovers they are all caused by the same HANA memory event, and spends the next hour consolidating what should have been a single incident. The root cause had a clear signal: the HANA memory alert. The secondary signals added work rather than adding information.
Dependent alert suppression requires defining the dependency relationships: if metric A fires, suppress metrics B, C, and D for a defined period. This is more configuration work than independent alert rules, and it requires understanding which conditions in the specific SAP landscape cause which downstream effects. The payoff is that the operations team receives one actionable signal rather than five correlated ones, which reduces triage time and improves response quality.
SAP-specific alert conditions worth designing carefully
The thresholds that are most often misconfigured in SAP environments
HANA log volume is the most dangerous misconfigured threshold in most SAP environments. Default or generic thresholds are often set at 80% or 85%. The correct threshold is 70%. The reasoning is not that 70% is inherently correct but that the gap between 70% and 100% needs to be large enough for two things to happen: the alert fires, the on-call engineer investigates and identifies the cause (log backups not running, backup medium full, log backup interval too wide for the current write volume), and the remediation is applied before the log volume reaches 100%. At 85%, that gap is small. At 70%, it is more forgiving.
Dialog work process utilization thresholds need time-awareness more than any other SAP metric. A static threshold applied to dialog WP utilization will either fire too often during peak hours or miss saturation events during off-peak hours. The correctly configured threshold for this metric has a higher value during expected peak windows and a lower value during periods where any elevated utilization is unusual.
Background job failure alerts should not apply a single threshold across all jobs. A Tier 1 job, defined as one with a hard business deadline and high impact if it fails, should generate an urgent-tier alert on any failure. A Tier 3 housekeeping job that runs daily and whose failure has no immediate business impact should generate an informational log entry, not an on-call alert. Most monitoring configurations either alert on all job failures with the same severity or alert on nothing. The correct design requires a classification of the job portfolio by criticality, which is work that pays for itself the first time a Tier 3 job failure does not wake someone up at 02:00.
Interface error rates require a distinction between absolute count and rate. Five IDoc errors in a day is a different situation depending on whether the interface normally processes 50 IDocs per day or 5,000. As an absolute count, five errors looks the same in both cases. As a rate, it is 10% in the first case and 0.1% in the second. The alert configuration that matters is rate-based, with the baseline error rate for each interface established during the baseline collection period and the threshold set as a relative increase from that baseline.
| Watch out: Short dump rate alerts configured as absolute counts produce misleading results during period-close activities, system upgrades, or new program rollouts, all of which can temporarily increase short dump frequency without indicating a monitoring-worthy condition. Short dump rate alerting is most useful as a trend metric: a rate that is increasing week-over-week for three consecutive weeks warrants investigation, even if the absolute count never crosses a high threshold. Configuring the alert on the trend rather than the absolute count catches the gradual stability degradation that absolute counts miss. |
Testing alerts and maintaining configuration quality over time
Verifying before relying: the test that almost nobody does
An alert configuration that has never produced a real alert under real conditions has unknown reliability. The threshold may be set correctly. The routing may be configured correctly. The ITSM integration may be mapped correctly. None of those things are confirmed until an alert fires and the whole path from detection to notification to incident ticket is observed end-to-end.
Testing a specific alert deliberately is straightforward for most conditions. Temporarily lower the threshold below the current metric value. Confirm the alert fires. Confirm the notification reaches the correct recipient. Confirm the incident ticket is created with the correct classification and content. Raise the threshold back to the intended value. The whole process takes 10 minutes per alert category. For the five or six most critical alert categories, this test should happen when they are first configured and whenever the monitoring platform or the ITSM integration changes.
The more useful test is an end-to-end drill: simulate a realistic incident scenario (HANA memory approaching limit, for example, which can be simulated in a non-production system or through a controlled test in production), observe the full detection-to-response sequence, measure the time from condition onset to alert acknowledgment, and identify any gaps in the routing or escalation. This is a 30-minute exercise that is more valuable than any amount of theoretical validation. Most organizations run this type of drill for disaster recovery. Few apply the same practice to monitoring alerting.
The monthly review habit that preserves alert quality over time
Alert configurations degrade over time without active maintenance. The system changes. The workload evolves. Thresholds that were accurate six months ago no longer reflect current normal behavior. Alerts that were relevant when a specific integration was active become noise after that integration is decommissioned. New failure modes emerge that are not covered by existing alerts.
A monthly review does not need to be long. The questions it needs to answer are: which alert categories fired more than 20 times last month with an acknowledgment rate below 50%, which metric baselines have drifted more than 15% from the values used to set the current thresholds, and are there conditions that caused incidents last month that were not caught by any alert. The first question identifies noise. The second identifies threshold drift. The third identifies coverage gaps.
The review also needs to check muted alerts. Any alert that has been muted for more than 30 days should be reviewed: either the underlying condition was resolved and the alert is no longer needed, the threshold was misconfigured and needs adjustment, or the suppression is no longer justified and the alert should be re-enabled. Muted alerts that are never reviewed accumulate into a monitoring configuration that looks comprehensive but has significant undocumented gaps.
The output of each review should be a short record of what changed and why: which thresholds were adjusted, which alerts were enabled or disabled, which new alert categories were added. This record becomes the documentation that explains the current configuration to the next person who inherits the system, preventing the cycle of undocumented degradation that characterizes most monitoring configurations after two years in production.
Alert configuration is a continuous activity, not a setup task
The framing of alert configuration as something done once at deployment is the root cause of most monitoring fatigue problems. The initial configuration is a best-effort approximation based on limited information. It gets better as baseline data accumulates, as the team observes the system across different load conditions, and as incidents reveal coverage gaps that were not anticipated.
A monitoring configuration that is actively maintained, with thresholds adjusted against current baselines, routing updated as team structures change, and muted alerts reviewed regularly, performs substantially better than one that was carefully set up at deployment and then treated as finished. The difference is not technical. It is a practice of treating alert quality as a metric worth tracking, the same way availability or response time are tracked.
The operational teams that trust their monitoring enough to respond to alerts without habituation-based skepticism are the ones where the alert configuration reflects current reality. Every alert that fires has fired because something genuinely changed. The team knows this because they have maintained the configuration to ensure it is true. That trust is the outcome that all of the practices in this article are trying to produce. It is not the starting state. It is built, alert by alert and review by review, from a configuration that earns it.
Redpeaks alert configuration uses per-system baselines, time-aware thresholds, and severity-based routing with native ITSM integration. Alert quality metrics are visible in the platform so teams can track false positive rates and coverage gaps over time. See how Redpeaks handles SAP alerting.

