The Acceptable-Flapping Policy for Noisy Alerts

Some alerts flap. Most are noise; some are signal. The policy that turns flapping into structured response.

Track flaps

An alert that fires more than 3 times in 24 hours without a sustained incident is a flap.

Flaps are auto-tagged. Dashboard shows the top 10.

Each flap is a candidate for tuning, suppression, or removal.

The decision tree

Real signal but threshold too tight: tune the threshold. The alert fires only when the issue is meaningful.

Real signal but transient: aggregate. Five flaps within 5 minutes = one alert.

Not real signal: remove. The alert was wrong.

Weekly review

Top 10 flapping alerts. Each gets a decision: tune, aggregate, remove.

Decision is logged. The same alert flapping next month should not require re-deciding.

Result: the team's alert pool converges on signal-bearing alerts only.