Create a grouping rule

Create an alert grouping rule to automatically group alerts according to selected criteria.

Before you begin

New rules only run on alerts ingested after the rule is created. Evaluated open alerts are not seen by new rules or by changes to existing rules.

If you change an existing rule that an existing alert would have been captured by, it won’t be. Whatever criteria or actions you have changed won’t be addressed unless the existing alert is closed and reopened. Then, whatever changed rule actions are will take place.

The order that alert grouping rules run in is important because the lower-order rules run first. This can impact whether the conditions of higher-order rules are met, or will process. Lower-order rules can adjust field values or even stop processing.

Note: Set the order for your rule using the Rules Order icon

in the Grouping rules list view. See Incident Response Automation for more information on grouping rule order.

When creating grouping rules, determine the criteria you would use to manually group alerts. Field matching is useful for general criteria. The system rule groups all alerts with the same service and metric name. This rule could result in a large group that contains many different teams, priorities, states, and so on. If you disable the system rule, you could refine the fields to be more specific.

Condition matching creates even more specific rules. For instance, maybe you just want to group only the P1 alerts with the same service, source, and team. Be on the lookout for criteria that overlaps and make sure that what you want to have happen, happens.

There is a lot of flexibilty in creating grouping rules but they require careful thought and planning.

Watch this quick video to learn how to group alerts using a grouping rule.

Role required: Manager, Administrator, or Responder

Procedure

Log in to Lightstep Incident Response.
In the left navigation pane, select Automation.
Select Create new rule.

In the form, fill in the fields.

The administrator view of this form contains an All teams and services choice in the list menu, not available to managers or responders. Global group rule selection

Teams or Services are not required for the admin.

Table 1. Grouping rule setup form
Fields	Description
Rule name	Name of the rule.
Description	Text description of the rule.
This rule applies to	Select your team or service. (Only visible to Administrators.) Select all teams and services. Sets the rule to run for all teams and all services. This field is useful for rules that make team assignments or that should be run for all teams or services.
Teams or Services this rule applies to	You can select multiple teams or services.
Run time limit	Set how long this rule should continue to run and group alerts after an initiating alert in minutes. The default is 30.

Select Next.

On the Set grouping methods form, select an action. You can choose one or both actions.

Note:

Choices are on of the other action:

Option	Description
Field Match	Choose the fields, operators, and values you want to group when an alert is captured by this rule. You can choose multiple fields from the list.
Condition Match	Choose the fields, operators, and values you want to group when an alert is captured by this rule. You can choose as many conditions as you like from the list.

Note:

For some examples of different types of methods, see Grouping rules examples.

Select Save.
You are returned to the Grouping rules tab on the Automation landing page.
The rule takes effect for any alerts that arrive after it is created. It does not reevaluate existing alerts unless they are closed and reopened.
Note:
The more fields or conditions you choose, the narrower the results are.
As you add rules, remember that the order that they are listed in is the order they are processed. Order can change the outcome. So, be sure to test them out as you create new rules.