Content-Based Alert Grouping
Automatically group incoming alerts into open incidents based on field content
Content-Based Alert Grouping enables customized alert grouping on services with predictable, homogenous alert data, without the need to train an algorithm. With Content-Based Alert Grouping, alerts that share an exact match on a set of chosen fields will be grouped together into the most recent open incident. Grouped alerts mean fewer incidents and interruptions for responders, richer context on the incidents that do trigger, and lower resolution times.
Availability
This feature is available with our PagerDuty AIOps add-on, or with Legacy Event Intelligence. If you would like to sign up for a trial of PagerDuty AIOps features, please read PagerDuty AIOps Trials.
Required User Permission
Users with the following roles can edit a service’s Alert Grouping settings:
- Account Owner
- Admin and Global Admin
- User
- Manager base role and team roles
- Manager team roles can only manage services associated with their team.
Enable Content-Based Alert Grouping
Important Notes
- Content-Based Alert Grouping requires data to be formatted in Common Event Format (PD-CEF).
- Alerts will only be grouped when all selected fields have an exact match.
- Similar to other Alert Grouping methods, Content-Based Alert Grouping will only group alerts on the same service.
- Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
- Select the Settings tab and click Edit under the Reduce Noise section.
- Select the Content-Based, then click Create Grouping.
- Select whether you want alerts to be grouped if All or Any specified fields match.
- If All is selected, alerts will be grouped when there is an exact match on every specified field.
- If Any is selected, alerts will be grouped when there is an exact match on at least one of the specified fields.
- There are two methods for specifying alert grouping fields:
- On the right side of the screen, select a recently received alert to see the data payload from that specific alert. Directly click the fields you want to add to your grouping criteria and they will be added to your configuration. OR
- Select your preferred Field Name(s) from the Select a field dropdown on the left:
- Class
- Component
- Group
- Severity
- Source
- Summary
- Custom Details: To group on the value in a custom field, select Custom Details from the dropdown, and enter your custom field name. Be sure that your spelling and capitalization exactly match the alert’s field. See the FAQ below for more information on using dot notation to access nested custom detail fields.
Nested custom details example
- Optional: If required, select Add Field to add an additional field to match on.
- Click Save.
Update Content-Based Alert Grouping
After enabling Content-Based Alert Grouping, you can adjust the grouping criteria at any time.
- Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
- Select the Settings tab and click Edit under the Reduce Noise section.
- With Content-Based selected, click Edit Grouping.
- Make the required changes and click Save.
Please note that Content-Based Alert Grouping will ignore any previously saved criteria and will start grouping alerts into a new incident every time you save. In other words, Content-Based Alert Grouping does not consider any previously saved criteria when determining whether to group an alert or trigger a new incident.
Disable Content-Based Alert Grouping
To select a different grouping method, or to disable Alert Grouping all together, in the web app:
- Navigate to Services Service Directory select the name of your desired service.
- Select the Settings tab and click Edit next to Reduce Noise.
- Select the desired grouping method or Turn Off Alert Grouping.
- Click Save Changes.
Delete a Field from Your Matching Criteria
If you have configured more than one field as part of your matching criteria, there is an option to delete the individual fields.
- Navigate to Services Service Directory select the name of your desired service.
- Select the Settings tab and click Edit next to Reduce Noise.
- To the right of the field(s) you wish to delete, click .
Delete criteria
- Click Save.
FAQ
How long will alerts group into an incident?
Expand
Content-Based Alert Grouping will group alerts into an incident until it is resolved or for up to 24 hours. After this time a new incident will be created.
If I have selected ‘Any’ for field matching criteria and the following occurs: Alert A has an exact match with Alert B on one specified field; Alert B has an exact match with Alert C on a different field; Alert C has no matching fields with Alert A. How are alerts grouped?
Expand
Alert A and B would be grouped into one incident. A new incident would be created for Alert C. Content-Based Alert Grouping does not chain fields with subsequent alerts and alerts are grouped into the most recent incident where there is an exact match.
How do I use a nested Custom Details field as part of my Content-Based Alert Grouping configuration?
Expand
Use dot notation to specify nested Custom Details fields, such as field_name.nested_field1. Note: Dot notation will only work if your field is nested within an object (not a string). For example, if your custom details look like {"field_name": "nested_field1 = value, nested_field2 = value"} , entering field_name.nested_field1 will not allow you to group on the nested field. If you want to group on a value from a string, you can extract it using Event Orchestration's Transformations feature.
Can I manipulate or merge content of different fields to use as alert grouping criteria?
Expand
Yes, with Transformations, an Event Orchestration feature.
Updated about 1 month ago