Content-Based Alert Grouping

Use alert content to group incoming alerts into open incidents

Content-Based Alert Grouping enables customized alert grouping on services with predictable, homogenous alert data, without the need to train an algorithm. With Content-Based Alert Grouping, alerts that share an exact match on a set of chosen fields will be grouped together into the most recent open incident. Grouped alerts mean fewer incidents and interruptions for responders, richer context on the incidents that do trigger, and lower resolution times.

📘

Availability

This feature is available with our PagerDuty AIOps add-on, or with Legacy Event Intelligence. If you would like to sign up for a trial of PagerDuty AIOps features, please read PagerDuty AIOps Trials.

🚧

Required User Permission

Users with the following roles can edit a service’s Alert Grouping settings:

  • Account Owner
  • Admin and Global Admin
  • User
  • Manager base role and team roles
    • Manager team roles can only manage services associated with their team.

Enable Content-Based Alert Grouping

📘

Important Notes

  • Content-Based Alert Grouping requires data to be formatted in Common Event Format (PD-CEF).
  • Alerts will only be grouped when all selected fields have an exact match.
  1. Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
  2. Select the Settings tab and click Edit under the Reduce Noise section.
  3. Select Alert Content.
  4. Select whether you want alerts to be grouped if All or Any specified fields match.
    • If All is selected, alerts will be grouped when there is an exact match on every specified field.
    • If Any is selected, alerts will be grouped when there is an exact match on at least one of the specified fields.
Content-based alert grouping

Content-based alert grouping

  1. There are two methods for specifying alert grouping fields:
  • Click See Recent Alerts to open a pane on the right side of the screen. Select a recently received alert to see its payload. Click the fields you want to add to your grouping criteria and they will be added to your configuration. OR
  • Select your preferred Field Name(s) from dropdown:
    • Class
    • Component
    • Group
    • Severity
    • Source
    • Summary
    • Custom Details: To group on the value in a custom field, select Custom Details from the dropdown, and enter your custom field name. Be sure that your spelling and capitalization exactly match the alert’s field. See the FAQ below for more information on using dot notation to access nested custom detail fields.
Nested custom details example

Nested custom details example

  1. Optional: If required, select Add Field to add an additional field to match on.
  2. Click Save Settings.

Flexible Time Window

You can configure the grouping time window as part of the Content-Based Alert Grouping setting. The time window can be between five minutes and 24 hours. The time window is a rolling window and counted from the most recently grouped alert. The window extends each time an alert is grouped, up to 24 hours, or until the incident is resolved. If an alert comes in after 24 hours, it will trigger a new incident.

Update Content-Based Alert Grouping

After enabling Content-Based Alert Grouping, you can adjust the grouping criteria at any time.

  1. Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
  2. Select the Settings tab and click Edit under the Reduce Noise section.
  3. Select Alert Content.
  4. Make the required changes and click Save Settings.

Please note that Content-Based Alert Grouping will ignore any previously saved criteria and will start grouping alerts into a new incident every time you save. In other words, Content-Based Alert Grouping does not consider any previously saved criteria when determining whether to group an alert or trigger a new incident.

Disable Content-Based Alert Grouping

To select a different grouping method, or to disable Alert Grouping all together, in the web app:

  1. Navigate to Services Service Directory select the name of your desired service.
  2. Select the Settings tab and click Edit next to Reduce Noise.
  3. Select the desired grouping method and click Save Settings.
    1. Alternatively, you can click Delete Yes, turn off to entirely disable alert grouping on the service.

Delete a Field from Your Matching Criteria

If you have configured more than one field as part of your matching criteria, there is an option to delete the individual fields.

  1. Navigate to Services Service Directory select the name of your desired service.
  2. Select the Settings tab and click Edit next to Reduce Noise.
  3. To the right of the field(s) you wish to delete, click .
Delete criteria

Delete criteria

  1. Click Save Settings.

Email Events

Content-Based Alert Grouping supports email alerts generated through service-level email integrations, as well as Event Orchestration, including any alerts that have their custom_details field transformed in Event Orchestration's Event Fields feature. Since email events are not structured in JSON, the format that Common Event Format (PD-CEF) requires, there are some differences in how these alerts are handled while configuring Content-Based Alert Grouping and on incidents.

Configuration

While configuring Content-Based Alert Grouping or Unified Alert Grouping, the See Recent Alerts option will display a preview of recent alerts. However, if the alert contains a custom_details field that was transformed in Event Orchestration, this field’s updated value will not appear in the See Recent Alerts preview. The See Recent Alerts preview will always display the custom_details field as it appeared in the email headers.

Alerts Table

The Alerts Table will display email events with its fields mapped to corresponding PD-CEF fields, but will not convert them into CEF events. If you would like to view the email alert in a formatted view, please click View Message below an expanded alert in the Alerts Table.

Field Mapping

Content-Based Alert Grouping maps some email fields to a corresponding Common Event Format (PD-CEF) field. For example, if you are grouping based on Source, Content-Based Alert Grouping will use the email event's From field to consider a match. With this in mind, it will show in the incident timeline that the alert was added based on Source. The table below shows a complete list of email fields and their corresponding PD-CEF fields:

Email FieldPD-CEF Field
FromSource
SubjectSummary
Subjectcustom_details.subject (This field always contains the original email subject, even if the Summary field was transformed in Event Orchestration.)
Text Bodycustom_details.plain_body
HTML Body (in multipart emails)custom_details.html_body
Tocustom_details.to (i.e., an array of 1 or more recipients)
CCscustom_details.cc
Email Headerscustom_details.<header_name> (e.g., message-id, from, received content-type, as well as an any custom headers the mailer adds)

FAQ

If I select Any for field matching criteria and the following occurs: Alert A has an exact match with Alert B on one specified field; Alert B has an exact match with Alert C on a different field; Alert C has no matching fields with Alert A. How are alerts grouped?

Alert A and B would be grouped into one incident. A new incident would be created for Alert C. Content-Based Alert Grouping does not chain fields with subsequent alerts and alerts are grouped into the most recent incident where there is an exact match.

How do I use a nested Custom Details field as part of my Content-Based Alert Grouping configuration?

Use dot notation to specify nested Custom Details fields, such as field_name.nested_field1. Note: Dot notation will only work if your field is nested within an object (not a string). For example, if your custom details look like {"field_name": "nested_field1 = value, nested_field2 = value"} , entering field_name.nested_field1 will not allow you to group on the nested field. If you want to group on a value from a string, you can extract it using Event Orchestration's Transformations feature.

Can I manipulate or merge content of different fields to use as alert grouping criteria?

Yes, with Transformations, an Event Orchestration feature.

Can I use Content-Based Alert Grouping to group across multiple services?

Yes, please read Global Alert Grouping for more information about how to group alerts from multiple services into a single incident.