Create an alert grouping rule to automatically group alerts according to selected
criteria.
Before you begin
New rules only run on alerts ingested after the rule is created. Evaluated open
alerts are not seen by new rules or by changes to existing rules.
If you change an existing rule that an existing alert would have been captured by, it
won’t be. Whatever criteria or actions you have changed won’t be addressed unless
the existing alert is closed and reopened. Then, whatever changed rule actions are
will take place.
The order that alert grouping rules run in is important because the lower-order rules
run first. This can impact whether the conditions of higher-order rules are met, or
will process. Lower-order rules can adjust field values or even stop
processing.
Note: Set the order for your rule using the Rules Order icon in the Grouping rules list view. See Incident Response Automation for
more information on grouping rule order.
When creating grouping rules, determine the criteria you
would use to manually group alerts. Field matching is useful for general
criteria. The system rule groups all alerts with the same service and metric
name. This rule could result in a large group that contains many different
teams, priorities, states, and so on. If you disable the system rule, you
could refine the fields to be more specific.
Condition matching creates even more specific rules. For instance, maybe you just
want to group only the P1 alerts with the same service, source, and team. Be on the
lookout for criteria that overlaps and make sure that what you want to have happen,
happens.
There is a lot of flexibilty in creating grouping rules but they require careful
thought and planning.
Watch this quick video to learn how to group alerts using a grouping rule.
Role required: Manager, Administrator, or Responder
Procedure
Log in to Lightstep Incident Response.
In the left navigation pane, select Automation.
Select Create new rule.
In the form, fill in the fields.
The administrator view of this form contains an All teams and
services choice in the list menu, not available to managers
or responders.
Teams or Services are not required for the admin.
Table 1. Grouping rule setup form
Fields
Description
Rule name
Name of the rule.
Description
Text description of the rule.
This rule applies to
Select your team or service.
(Only visible to
Administrators.) Select all teams and services. Sets the
rule to run for all teams and all services. This field
is useful for rules that make team assignments or that
should be run for all teams or services.
Teams or Services this rule applies to
You can select multiple teams or services.
Run time limit
Set how long this rule should continue to run and group
alerts after an initiating alert in minutes. The default is
30.
Select Next.
On the Set grouping methods form, select an action. You can choose one or both
actions.
Note:
Choices are on of the other action:
Option
Description
Field Match
Choose the fields, operators, and values you want to group when an
alert is captured by this rule. You can choose multiple fields from
the list.
Condition Match
Choose the fields, operators, and values you want to group when an
alert is captured by this rule. You can choose as many conditions as
you like from the list.
You are returned to the Grouping rules tab on the
Automation landing page.
The rule takes effect for
any alerts that arrive after it is created. It does not reevaluate existing
alerts unless they are closed and reopened.
Note:
The more fields or
conditions you choose, the narrower the results are.
As you add
rules, remember that the order that they are listed in is the order they are
processed. Order can change the outcome. So, be sure to test them out as you
create new rules.