Create a grouping rule
Create an alert grouping rule to automatically group alerts according to selected criteria.
Before you begin
New rules only run on alerts ingested after the rule is created. Evaluated open alerts are not seen by new rules or by changes to existing rules.
If you change an existing rule that an existing alert would have been captured by, it won’t be. Whatever criteria or actions you have changed won’t be addressed unless the existing alert is closed and reopened. Then, whatever changed rule actions are will take place.
When creating grouping rules, determine the criteria you would use to manually group alerts. Field matching is useful for general criteria. The system rule groups all alerts with the same service and metric name. This rule could result in a large group that contains many different teams, priorities, states, and so on. If you disable the system rule, you could refine the fields to be more specific.
Condition matching creates even more specific rules. For instance, maybe you just want to group only the P1 alerts with the same service, source, and team. Be on the lookout for criteria that overlaps and make sure that what you want to have happen, happens.
There is a lot of flexibilty in creating grouping rules but they require careful thought and planning.
Watch this quick video to learn how to group alerts using a grouping rule.
Role required: Manager, Administrator, or Responder
- Log in to Lightstep Incident Response.
- In the left navigation pane, select Automation.
- Select Create new rule.
In the form, fill in the fields.
The administrator view of this form contains an All teams and services choice in the list menu, not available to managers or responders.
Teams or Services are not required for the admin.
Table 1. Grouping rule setup form Fields Description Rule name Name of the rule. Description Text description of the rule. This rule applies to Select your team or service.
(Only visible to Administrators.) Select all teams and services. Sets the rule to run for all teams and all services. This field is useful for rules that make team assignments or that should be run for all teams or services.
Teams or Services this rule applies to You can select multiple teams or services. Run time limit Set how long this rule should continue to run and group alerts after an initiating alert in minutes. The default is 30.
- Select Next.
On the Set grouping methods form, select an action. You can choose one or both
Choices are on of the other action:
Option Description Field Match
Choose the fields, operators, and values you want to group when an alert is captured by this rule. You can choose multiple fields from the list.
Choose the fields, operators, and values you want to group when an alert is captured by this rule. You can choose as many conditions as you like from the list.Note:
For some examples of different types of methods, see Grouping rules examples.
You are returned to the Grouping rules tab on the Automation landing page.
The rule takes effect for any alerts that arrive after it is created. It does not reevaluate existing alerts unless they are closed and reopened.Note:
The more fields or conditions you choose, the narrower the results are.As you add rules, remember that the order that they are listed in is the order they are processed. Order can change the outcome. So, be sure to test them out as you create new rules.