Content-Based Alert Grouping
Use alert content to group incoming alerts into open incidents
Content-Based Alert Grouping enables customized alert grouping on services with predictable, homogenous alert data, without the need to train an algorithm. With Content-Based Alert Grouping, alerts that share an exact match on a set of chosen fields will be grouped together into the most recent open incident. Grouped alerts mean fewer incidents and interruptions for responders, richer context on the incidents that do trigger, and lower resolution times.
Availability
Content-Based Alert Grouping is available with our PagerDuty AIOps add-on, or with Legacy Event Intelligence. Please note that newer features (e.g., Global Content-Based Alert Grouping) are only available to PagerDuty AIOps customers, and are not available on Legacy Event Intelligence plans. Please contact our Sales Team to upgrade your account's pricing plan.
If you would like to sign up for a trial of PagerDuty AIOps features, please read PagerDuty AIOps Trials.
Required User Permission
Users with the following roles can edit a service’s Alert Grouping settings:
- Account Owner
- Admin and Global Admin
- User
- Manager base role and team roles
- Manager team roles can only manage services associated with their team.
Enable Content-Based Alert Grouping
Important Notes
- Content-Based Alert Grouping requires data to be formatted in Common Event Format (PD-CEF).
- Alerts will only be grouped when all selected fields have an exact match.
- Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
- Select the Settings tab and click Edit under the Reduce Noise section.
- Select Alert Content.
- Optional: To group alerts across multiple services, select additional services in the dropdown Select Services to group the alerts. Please read Global Alert Grouping for more information.
- Select whether you want alerts to be grouped if All or Any specified fields match.
- If All is selected, alerts will be grouped when there is an exact match on every specified field.
- If Any is selected, alerts will be grouped when there is an exact match on at least one of the specified fields.
Content-based alert grouping
- There are two methods for specifying alert grouping fields:
- Click See Recent Alerts to open a pane on the right side of the screen. Select a recently received alert to see its payload. Click the fields you want to add to your grouping criteria and they will be added to your configuration. OR
- Select your preferred Field Name(s) from dropdown:
- Class
- Component
- Group
- Severity
- Source
- Summary
- Custom Details: To group on the value in a custom field, select Custom Details from the dropdown, and enter your custom field name. Be sure that your spelling and capitalization exactly match the alert’s field. See the FAQ below for more information on using dot notation to access nested custom detail fields.
Nested custom details example
- Optional: If required, select Add Field to add an additional field to match on.
- Click Save Settings.
Flexible Time Window
You can configure the grouping time window as part of the Content-Based Alert Grouping setting. The time window can be between five minutes and 24 hours. The time window is a rolling window and counted from the most recently grouped alert. The window extends each time an alert is grouped, up to 24 hours, or until the incident is resolved. If an alert comes in after 24 hours, it will trigger a new incident.
Update Content-Based Alert Grouping
After enabling Content-Based Alert Grouping, you can adjust the grouping criteria at any time.
- Select Services Service Directory click the name of the service where you would like to use Content-Based Alert Grouping.
- Select the Settings tab and click Edit under the Reduce Noise section.
- Select Alert Content.
- Make the required changes and click Save Settings.
Please note that Content-Based Alert Grouping will ignore any previously saved criteria and will start grouping alerts into a new incident every time you save. In other words, Content-Based Alert Grouping does not consider any previously saved criteria when determining whether to group an alert or trigger a new incident.
Disable Content-Based Alert Grouping
To select a different grouping method, or to disable Alert Grouping all together, in the web app:
- Navigate to Services Service Directory select the name of your desired service.
- Select the Settings tab and click Edit next to Reduce Noise.
- Select the desired grouping method and click Save Settings.
- Alternatively, you can click Delete Yes, turn off to entirely disable alert grouping on the service.
Delete a Field from Your Matching Criteria
If you have configured more than one field as part of your matching criteria, there is an option to delete the individual fields.
- Navigate to Services Service Directory select the name of your desired service.
- Select the Settings tab and click Edit next to Reduce Noise.
- To the right of the field(s) you wish to delete, click .
Delete criteria
- Click Save Settings.
Email Events
Content-Based Alert Grouping supports email alerts generated through service-level email integrations, as well as Event Orchestration, including any alerts that have their custom_details field transformed in Event Orchestration's Event Fields feature. Since email events are not structured in JSON, the format that Common Event Format (PD-CEF) requires, there are some differences in how these alerts are handled while configuring Content-Based Alert Grouping and on incidents.
Configuration
While configuring Content-Based Alert Grouping or Unified Alert Grouping, the See Recent Alerts option will display a preview of recent alerts. However, if the alert contains a custom_details field that was transformed in Event Orchestration, this field’s updated value will not appear in the See Recent Alerts preview. The See Recent Alerts preview will always display the custom_details field as it appeared in the email headers.
Alerts Table
The Alerts Table will display email events with its fields mapped to corresponding PD-CEF fields, but will not convert them into CEF events. If you would like to view the email alert in a formatted view, please click View Message below an expanded alert in the Alerts Table.
Field Mapping
Content-Based Alert Grouping maps some email fields to a corresponding Common Event Format (PD-CEF) field. For example, if you are grouping based on Source, Content-Based Alert Grouping will use the email event's From field to consider a match. With this in mind, it will show in the incident timeline that the alert was added based on Source. The table below shows a complete list of email fields and their corresponding PD-CEF fields:
| Email Field | PD-CEF Field |
|---|---|
| From | Source |
| Subject | Summary |
| Subject | custom_details.subject (This field always contains the original email subject, even if the Summary field was transformed in Event Orchestration.) |
| Text Body | custom_details.plain_body |
| HTML Body (in multipart emails) | custom_details.html_body |
| To | custom_details.to (i.e., an array of 1 or more recipients) |
| CCs | custom_details.cc |
| Email Headers | custom_details.<header_name> (e.g., message-id, from, received content-type, as well as an any custom headers the mailer adds) |
FAQ
If I select Any for field matching criteria and the following occurs: Alert A has an exact match with Alert B on one specified field; Alert B has an exact match with Alert C on a different field; Alert C has no matching fields with Alert A. How are alerts grouped?
Any for field matching criteria and the following occurs: Alert A has an exact match with Alert B on one specified field; Alert B has an exact match with Alert C on a different field; Alert C has no matching fields with Alert A. How are alerts grouped?Alert A and B would be grouped into one incident. A new incident would be created for Alert C. Content-Based Alert Grouping does not chain fields with subsequent alerts and alerts are grouped into the most recent incident where there is an exact match.
How do I use a nested Custom Details field as part of my Content-Based Alert Grouping configuration?
Use dot notation to specify nested Custom Details fields, such as field_name.nested_field1. Note: Dot notation will only work if your field is nested within an object (not a string). For example, if your custom details look like {"field_name": "nested_field1 = value, nested_field2 = value"} , entering field_name.nested_field1 will not allow you to group on the nested field. If you want to group on a value from a string, you can extract it using Event Orchestration's Transformations feature.
Can I manipulate or merge content of different fields to use as alert grouping criteria?
Yes, with Transformations, an Event Orchestration feature.
Can I use Content-Based Alert Grouping to group across multiple services?
Yes, please read Global Alert Grouping for more information about how to group alerts from multiple services into a single incident.
Updated about 1 month ago