Content-Based Alert Grouping enables customized alert grouping on services with predictable, homogenous alert data, without the need to train an algorithm. With Content-Based Alert Grouping, alerts that share an exact match on a set of chosen fields will be grouped together into the most recent open incident. Grouped alerts mean fewer incidents and interruptions for responders, richer context on the incidents that do trigger, and lower resolution times.

📘

Availability

This feature is available with our PagerDuty AIOps add-on, or with Legacy Event Intelligence. If you would like to sign up for a trial of PagerDuty AIOps features, please read PagerDuty AIOps Trials.

🚧

Required User Permission

Users with the following roles can edit a service’s Alert Grouping settings:

• Account Owner
• Admin and Global Admin
• User
• Manager base role and team roles
  • Manager team roles can only manage services associated with their team.

Enable Content-Based Alert Grouping

📘

Important Notes

• Content-Based Alert Grouping requires data to be formatted in Common Event Format (PD-CEF).
• Email events are not supported. Consider using an Events API v2 integration, if possible, to take advantage of Content-Based Alert Grouping.
• Alerts will only be grouped when all selected fields have an exact match.
• Similar to other Alert Grouping methods, Content-Based Alert Grouping will only group alerts on the same service.

1. Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
2. Select the Settings tab and click Edit under the Reduce Noise section.
3. Select Alert Content.
4. Select whether you want alerts to be grouped if All or Any specified fields match.
   • If All is selected, alerts will be grouped when there is an exact match on every specified field.
   • If Any is selected, alerts will be grouped when there is an exact match on at least one of the specified fields.

5. There are two methods for specifying alert grouping fields:

• Click See Recent Alerts to open a pane on the right side of the screen. Select a recently received alert to see its payload. Click the fields you want to add to your grouping criteria and they will be added to your configuration. OR
• Select your preferred Field Name(s) from dropdown:
  • Class
  • Component
  • Group
  • Severity
  • Source
  • Summary
  • Custom Details: To group on the value in a custom field, select Custom Details from the dropdown, and enter your custom field name. Be sure that your spelling and capitalization exactly match the alert’s field. See the FAQ below for more information on using dot notation to access nested custom detail fields.

6. Optional: If required, select Add Field to add an additional field to match on.
7. Click Save Settings.

Flexible Time Window

You can configure the grouping time window as part of the Global Alert Grouping setting. The time window can be between five minutes and one hour. The time window is a rolling window and counted from the most recently grouped alert. The window extends each time an alert is grouped, up to 24 hours, or until the incident is resolved. If an alert comes in after 24 hours, it will trigger a new incident.

Update Content-Based Alert Grouping

After enabling Content-Based Alert Grouping, you can adjust the grouping criteria at any time.

1. Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
2. Select the Settings tab and click Edit under the Reduce Noise section.
3. Select Alert Content.
4. Make the required changes and click Save Settings.

Please note that Content-Based Alert Grouping will ignore any previously saved criteria and will start grouping alerts into a new incident every time you save. In other words, Content-Based Alert Grouping does not consider any previously saved criteria when determining whether to group an alert or trigger a new incident.

Disable Content-Based Alert Grouping

To select a different grouping method, or to disable Alert Grouping all together, in the web app:

1. Navigate to Services Service Directory select the name of your desired service.
2. Select the Settings tab and click Edit next to Reduce Noise.
3. Select the desired grouping method and click Save Settings.
   1. Alternatively, you can click Delete Yes, turn off to entirely disable alert grouping on the service.

Delete a Field from Your Matching Criteria

If you have configured more than one field as part of your matching criteria, there is an option to delete the individual fields.

1. Navigate to Services Service Directory select the name of your desired service.
2. Select the Settings tab and click Edit next to Reduce Noise.
3. To the right of the field(s) you wish to delete, click .

4. Click Save Settings.

FAQ

If I select Any for field matching criteria and the following occurs: Alert A has an exact match with Alert B on one specified field; Alert B has an exact match with Alert C on a different field; Alert C has no matching fields with Alert A. How are alerts grouped?

How do I use a nested Custom Details field as part of my Content-Based Alert Grouping configuration?

Can I manipulate or merge content of different fields to use as alert grouping criteria?

Can I use Content-Based Alert Grouping to group across multiple services?